yahoo-eng-team team mailing list archive

[Eric Brown <browne@xxxxxxxxxx>]

Public bug reported:

Keystone currently has the keystone_conservative profile in bandit.yaml
defined as follows:

    keystone_conservative:
        include:
            - blacklist_functions
            - blacklist_imports
            - request_with_no_cert_validation
            - exec_used
            - set_bad_file_permissions
            - subprocess_popen_with_shell_equals_true
            - linux_commands_wildcard_injection
            - ssl_with_bad_version

The keystone_conservative profile is the default profile run when using
bandit in the keystone project.  The problem is that blacklist_functions
is not actually a bandit plugin.  There is a plugin called
blacklist_calls, but not blacklist_functions.

To recreate:
- Edit bandit.yaml, comment out     - '/tests/' in the exclude_dirs
- Run 'tox -e bandit'
- Notice you get no errors
- Edit bandit.yaml again, search/replace blacklist_functions to blacklist_calls
- Rerun 'tox -e bandit'
- Notice you get an error now:

>> Issue: Use of possibly insecure function - consider using safer ast.literal_eval.  
   Severity: Medium   Confidence: High
   Location: keystone/tests/unit/test_wsgi.py:104
103	        resp = req.get_response(app)
104	        self.assertIn('X-Foo', eval(resp.body))
105	

So basically, the blacklist_calls are never checked.

** Affects: keystone
     Importance: Low
     Assignee: Eric Brown (ericwb)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Eric Brown (ericwb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1460839

Title:
  bandit: blacklist_functions not a valid plugin

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Keystone currently has the keystone_conservative profile in
  bandit.yaml defined as follows:

      keystone_conservative:
          include:
              - blacklist_functions
              - blacklist_imports
              - request_with_no_cert_validation
              - exec_used
              - set_bad_file_permissions
              - subprocess_popen_with_shell_equals_true
              - linux_commands_wildcard_injection
              - ssl_with_bad_version

  The keystone_conservative profile is the default profile run when
  using bandit in the keystone project.  The problem is that
  blacklist_functions is not actually a bandit plugin.  There is a
  plugin called blacklist_calls, but not blacklist_functions.

  To recreate:
  - Edit bandit.yaml, comment out     - '/tests/' in the exclude_dirs
  - Run 'tox -e bandit'
  - Notice you get no errors
  - Edit bandit.yaml again, search/replace blacklist_functions to blacklist_calls
  - Rerun 'tox -e bandit'
  - Notice you get an error now:

  >> Issue: Use of possibly insecure function - consider using safer ast.literal_eval.  
     Severity: Medium   Confidence: High
     Location: keystone/tests/unit/test_wsgi.py:104
  103	        resp = req.get_response(app)
  104	        self.assertIn('X-Foo', eval(resp.body))
  105	

  So basically, the blacklist_calls are never checked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1460839/+subscriptions