yahoo-eng-team team mailing list archive

[Doug Hellmann <doug@xxxxxxxxxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => liberty-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1460839

Title:
  bandit: blacklist_functions not a valid plugin

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Keystone currently has the keystone_conservative profile in
  bandit.yaml defined as follows:

      keystone_conservative:
          include:
              - blacklist_functions
              - blacklist_imports
              - request_with_no_cert_validation
              - exec_used
              - set_bad_file_permissions
              - subprocess_popen_with_shell_equals_true
              - linux_commands_wildcard_injection
              - ssl_with_bad_version

  The keystone_conservative profile is the default profile run when
  using bandit in the keystone project.  The problem is that
  blacklist_functions is not actually a bandit plugin.  There is a
  plugin called blacklist_calls, but not blacklist_functions.

  To recreate:
  - Edit bandit.yaml, comment out     - '/tests/' in the exclude_dirs
  - Run 'tox -e bandit'
  - Notice you get no errors
  - Edit bandit.yaml again, search/replace blacklist_functions to blacklist_calls
  - Rerun 'tox -e bandit'
  - Notice you get an error now:

  >> Issue: Use of possibly insecure function - consider using safer ast.literal_eval.  
     Severity: Medium   Confidence: High
     Location: keystone/tests/unit/test_wsgi.py:104
  103	        resp = req.get_response(app)
  104	        self.assertIn('X-Foo', eval(resp.body))
  105	

  So basically, the blacklist_calls are never checked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1460839/+subscriptions