From 4830f392fa8ebc314525a40e20414d2789cfd74d Mon Sep 17 00:00:00 2001 From: Alexander Dietrich Date: Sat, 26 Feb 2022 20:11:11 +0100 Subject: [PATCH] Review Bandit findings --- Pipfile | 1 + Pipfile.lock | 89 ++++++++++++++++++++++++++++++++++++++++++- src/icepack/helper.py | 26 ++++++------- src/icepack/meta.py | 2 +- 4 files changed, 103 insertions(+), 15 deletions(-) diff --git a/Pipfile b/Pipfile index d1fd672..9dddb2b 100644 --- a/Pipfile +++ b/Pipfile @@ -8,6 +8,7 @@ click = "*" pydantic = "*" [dev-packages] +bandit = "*" build = "*" pycodestyle = "*" pytest = "*" diff --git a/Pipfile.lock b/Pipfile.lock index 69e47cb..6cca94e 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "8eb9151f77bf382118ba260b55b8433a005a5981f1b00ae4d63ee4f5327f113b" + "sha256": "8fec9c64de5301c326dc6a86a3da2616db80641e5e6fafdd9a076a8aca1a0614" }, "pipfile-spec": 6, "requires": {}, @@ -81,6 +81,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==21.4.0" }, + "bandit": { + "hashes": [ + "sha256:6d11adea0214a43813887bfe71a377b5a9955e4c826c8ffd341b494e3ab25260", + "sha256:e20402cadfd126d85b68ed4c8862959663c8c372dbbb1fca8f8e2c9f55a067ec" + ], + "index": "pypi", + "version": "==1.7.2" + }, "bleach": { "hashes": [ "sha256:0900d8b37eba61a802ee40ac0061f8c2b5dee29c1927dd1d233e075ebf5a71da", @@ -209,6 +217,22 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==0.18.1" }, + "gitdb": { + "hashes": [ + "sha256:8033ad4e853066ba6ca92050b9df2f89301b8fc8bf7e9324d412a63f8bf1a8fd", + "sha256:bac2fd45c0a1c9cf619e63a90d62bdc63892ef92387424b855792a6cabe789aa" + ], + "markers": "python_version >= '3.6'", + "version": "==4.0.9" + }, + "gitpython": { + "hashes": [ + "sha256:1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704", + "sha256:5b68b000463593e05ff2b261acff0ff0972df8ab1b70d3cdbd41b546c8b8fc3d" + ], + "markers": "python_version >= '3.7'", + "version": "==3.1.27" + }, "idna": { "hashes": [ "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff", @@ -256,6 +280,14 @@ "markers": "python_version >= '3.6'", "version": "==21.3" }, + "pbr": { + "hashes": [ + "sha256:27108648368782d07bbf1cb468ad2e2eeef29086affd14087a6d04b7de8af4ec", + "sha256:66bc5a34912f408bb3925bf21231cb6f59206267b7f63f3503ef865c1a292e25" + ], + "markers": "python_version >= '2.6'", + "version": "==5.8.1" + }, "pep517": { "hashes": [ "sha256:931378d93d11b298cf511dd634cf5ea4cb249a28ef84160b3247ee9afb4e8ab0", @@ -333,6 +365,45 @@ "index": "pypi", "version": "==1.3.1" }, + "pyyaml": { + "hashes": [ + "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293", + "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b", + "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57", + "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b", + "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4", + "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07", + "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba", + "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9", + "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287", + "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513", + "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0", + "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0", + "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92", + "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f", + "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2", + "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc", + "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c", + "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86", + "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4", + "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c", + "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34", + "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b", + "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c", + "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb", + "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737", + "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3", + "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d", + "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53", + "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78", + "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803", + "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a", + "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174", + "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5" + ], + "markers": "python_version >= '3.6'", + "version": "==6.0" + }, "readme-renderer": { "hashes": [ "sha256:a50a0f2123a4c1145ac6f420e1a348aafefcc9211c846e3d51df05fe3d865b7d", @@ -380,6 +451,22 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "smmap": { + "hashes": [ + "sha256:2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94", + "sha256:c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936" + ], + "markers": "python_version >= '3.6'", + "version": "==5.0.0" + }, + "stevedore": { + "hashes": [ + "sha256:a547de73308fd7e90075bb4d301405bebf705292fa90a90fc3bcf9133f58616c", + "sha256:f40253887d8712eaa2bb0ea3830374416736dc8ec0e22f5a65092c1174c44335" + ], + "markers": "python_version >= '3.6'", + "version": "==3.5.0" + }, "tomli": { "hashes": [ "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc", diff --git a/src/icepack/helper.py b/src/icepack/helper.py index 663d129..e0c73ea 100644 --- a/src/icepack/helper.py +++ b/src/icepack/helper.py @@ -2,7 +2,7 @@ import os from pathlib import Path from shutil import copyfileobj, rmtree, which -import subprocess +import subprocess # nosec import tempfile from zipfile import ZIP_STORED, is_zipfile, ZipFile, ZipInfo @@ -13,7 +13,7 @@ _BUFFER_SIZE = 64 * 1024 _PUBLIC_KEY_PREFIX = 'age' -_SECRET_KEY_PREFIX = 'AGE-SECRET-KEY-' +_SECRET_KEY_PREFIX = 'AGE-SECRET-KEY-' # nosec No secret class Age(): @@ -24,7 +24,7 @@ def keygen(): """Return a (secret_key, public_key) from age-keygen.""" secret_key = None public_key = None - result = subprocess.run( + result = subprocess.run( # nosec Trusted input ['age-keygen'], capture_output=True, text=True, @@ -36,7 +36,7 @@ def keygen(): break else: raise Exception('No secret key in age-keygen output.') - result = subprocess.run( + result = subprocess.run( # nosec Trusted input ['age-keygen', '-y'], input=secret_key, capture_output=True, @@ -52,7 +52,7 @@ def keygen(): @staticmethod def encrypt(src_path, dst_path, secret_key): """Encrypt src_path to dst_path, pass secret_key to age STDIN.""" - subprocess.run( + subprocess.run( # nosec Trusted input ['age', '-e', '-i', '-', '-o', str(dst_path), str(src_path)], input=secret_key, text=True, @@ -61,7 +61,7 @@ def encrypt(src_path, dst_path, secret_key): @staticmethod def decrypt(src_path, dst_path, secret_key): """Decrypt src_path to dst_path, pass secret_key to age STDIN.""" - subprocess.run( + subprocess.run( # nosec Trusted input ['age', '-d', '-i', '-', '-o', str(dst_path), str(src_path)], input=secret_key, text=True, @@ -73,12 +73,12 @@ def encrypt_bytes(data, dst_path, recipients): args = ['age', '-e', '-o', str(dst_path)] for recipient in recipients: args.extend(['-r', recipient]) - subprocess.run(args, input=data, check=True) + subprocess.run(args, input=data, check=True) # nosec Trusted input @staticmethod def decrypt_bytes(src_path, identity): """Decrypt src_path via age STDOUT.""" - result = subprocess.run( + result = subprocess.run( # nosec Trusted input ['age', '-d', '-i', str(identity), str(src_path)], capture_output=True, check=True) @@ -89,7 +89,7 @@ def version(): """Return the age version and age-keygen presence as a tuple.""" age_version = None if which('age'): - result = subprocess.run( + result = subprocess.run( # nosec Trusted input ['age', '--version'], capture_output=True, text=True, @@ -145,7 +145,7 @@ def keygen(key_path): secret_key = key_path / SECRET_KEY if secret_key.is_file(): raise Exception(f'{secret_key} already exists.') - subprocess.run( + subprocess.run( # nosec Trusted input [ 'ssh-keygen', '-t', 'ed25519', @@ -162,7 +162,7 @@ def keygen(key_path): @staticmethod def sign(data_path, secret_key): """Sign data_path with ssh-keygen.""" - subprocess.run( + subprocess.run( # nosec Trusted input [ 'ssh-keygen', '-Y', 'sign', @@ -180,7 +180,7 @@ def sign(data_path, secret_key): @staticmethod def verify(data_path, sig_path, allowed_signers): """Verify the signature with ssh-keygen.""" - subprocess.run( + subprocess.run( # nosec Trusted input [ 'ssh-keygen', '-Y', 'verify', @@ -198,7 +198,7 @@ def version(): """Return the SSH version and ssh-keygen presence as a tuple.""" ssh_version = None if which('ssh'): - result = subprocess.run( + result = subprocess.run( # nosec Trusted input ['ssh', '-V'], capture_output=True, text=True, diff --git a/src/icepack/meta.py b/src/icepack/meta.py index fdb22bd..8857140 100644 --- a/src/icepack/meta.py +++ b/src/icepack/meta.py @@ -1,6 +1,6 @@ NAME = 'icepack' VERSION = '0.5.0' -SECRET_KEY = 'identity' +SECRET_KEY = 'identity' # nosec No secret PUBLIC_KEY = 'identity.pub' ALLOWED_SIGNERS = 'allowed_signers'