Add bandit tests

.github/workflows/main.yaml

@@ -24,6 +24,9 @@ jobs:
       - name: Check code style
         run: tox -e style
 
+      - name: Check security
+        run: tox -e bandit
+
       - name: Unit tests
         run: tox -e coverage
 

IM/ConfManager.py

@@ -1384,7 +1384,7 @@ def configure_ansible(self, ssh, tmp_dir, ansible_version=None):
                     if ssh.proxy_host.private_key:
                         priv_key_filename = "/var/tmp/%s_%s_%s.pem" % (ssh.proxy_host.username,
                                                                        ssh.username,
-                                                                       ssh.host)
+                                                                       ssh.host)  # nosec
                         # copy it to the proxy host to enable im_client to use it
                         # ssh.proxy_host.sftp_put_content(ssh.proxy_host.private_key, priv_key_filename)
                         # ssh.proxy_host.sftp_chmod(priv_key_filename, 0o600)

IM/CtxtAgentBase.py

@@ -289,7 +289,7 @@ def add_proxy_host_line(self, vm_data):
             # we must create it in the localhost to use it later with ansible
             priv_key_filename = "/var/tmp/%s_%s_%s.pem" % (proxy['user'],
                                                            vm_data['user'],
-                                                           vm_data['ip'])
+                                                           vm_data['ip'])  # nosec
             with open(priv_key_filename, 'w') as f:
                 f.write(proxy['private_key'])
             os.chmod(priv_key_filename, 0o600)
@@ -502,7 +502,7 @@ def install_ansible_roles(self, general_conf_data, playbook):
 
             if galaxy_collections:
                 now = str(int(time.time() * 100))
-                filename = "/tmp/galaxy_collections_%s.yml" % now
+                filename = "/tmp/galaxy_collections_%s.yml" % now  # nosec
                 yaml_deps = yaml.safe_dump({"collections": galaxy_collections}, default_flow_style=True)
                 self.logger.debug("Galaxy collections file: %s" % yaml_deps)
                 task = {"copy": 'dest=%s content="%s"' % (filename, yaml_deps)}
@@ -556,7 +556,7 @@ def install_ansible_roles(self, general_conf_data, playbook):
 
             if galaxy_dependencies:
                 now = str(int(time.time() * 100))
-                filename = "/tmp/galaxy_roles_%s.yml" % now
+                filename = "/tmp/galaxy_roles_%s.yml" % now  # nosec
                 yaml_deps = yaml.safe_dump(galaxy_dependencies, default_flow_style=True)
                 self.logger.debug("Galaxy depencies file: %s" % yaml_deps)
                 task = {"copy": 'dest=%s content="%s"' % (filename, yaml_deps)}
@@ -598,7 +598,7 @@ def LaunchAnsiblePlaybook(self, output, remote_dir, playbook_file, vm, threads,
                 gen_pk_file = pk_file
             else:
                 if vm['private_key'] and not vm['passwd']:
-                    gen_pk_file = "/tmp/pk_" + vm['ip'] + ".pem"
+                    gen_pk_file = "/tmp/pk_" + vm['ip'] + ".pem"  # nosec
                     pk_out = open(gen_pk_file, 'w')
                     pk_out.write(vm['private_key'])
                     pk_out.close()

IM/InfrastructureList.py

@@ -182,12 +182,13 @@ def _get_data_from_db(db_url, inf_id=None, auth=None):
                     if db.db_type == DataBase.MONGO:
                         res = db.find("inf_list", {"id": inf_id}, {data_field: True, "deleted": True})
                     else:
-                        res = db.select("select " + data_field + ",deleted from inf_list where id = %s", (inf_id,))
+                        res = db.select("select " + data_field + ",deleted from inf_list where id = %s",  # nosec
+                                        (inf_id,))
                 else:
                     if db.db_type == DataBase.MONGO:
                         res = db.find("inf_list", {"deleted": 0}, {data_field: True, "deleted": True}, [('_id', -1)])
                     else:
-                        res = db.select("select " + data_field + ",deleted from inf_list where deleted = 0"
+                        res = db.select("select " + data_field + ",deleted from inf_list where deleted = 0"  # nosec
                                         " order by rowid desc")
                 if len(res) > 0:
                     for elem in res:
@@ -296,7 +297,7 @@ def _get_inf_ids_from_db(auth=None):
                         where = "where deleted = 0 and (%s)" % like
                     else:
                         where = "where deleted = 0"
-                    res = db.select("select id from inf_list %s order by rowid desc" % where)
+                    res = db.select("select id from inf_list %s order by rowid desc" % where)  # nosec
                 for elem in res:
                     if db.db_type == DataBase.MONGO:
                         inf_list.append(elem['id'])

IM/SSH.py

@@ -77,7 +77,7 @@ def run(self):
             channel = self.client.get_transport().open_session()
             if self.ssh.tty:
                 channel.get_pty()
-            channel.exec_command(self.command + "\n")
+            channel.exec_command(self.command + "\n")  # nosec
             stdout = channel.makefile()
             stderr = channel.makefile_stderr()
             exit_status = channel.recv_exit_status()
@@ -182,13 +182,13 @@ def connect(self, time_out=None):
             return self.client, self.proxy
 
         client = paramiko.SSHClient()
-        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())  # nosec
 
         proxy = None
         proxy_channel = None
         if self.proxy_host:
             proxy = paramiko.SSHClient()
-            proxy.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+            proxy.set_missing_host_key_policy(paramiko.AutoAddPolicy())  # nosec
             proxy.connect(self.proxy_host.host, self.proxy_host.port, username=self.proxy_host.username,
                           password=self.proxy_host.password, pkey=self.proxy_host.private_key_obj)
             proxy_transport = proxy.get_transport()
@@ -264,7 +264,7 @@ def execute(self, command, timeout=None):
         if self.tty:
             channel.get_pty()
 
-        channel.exec_command(command + "\n")
+        channel.exec_command(command + "\n")  # nosec
         stdout = channel.makefile()
         stderr = channel.makefile_stderr()
         exit_status = channel.recv_exit_status()

IM/Stats.py

@@ -125,7 +125,7 @@ def get_stats(init_date="1970-01-01", end_date=None, auth=None):
                     if like:
                         where += " and"
                     where += " date <= '%s'" % end_date
-                res = db.select("select data, date, id from inf_list %s order by rowid desc" % where)
+                res = db.select("select data, date, id from inf_list %s order by rowid desc" % where)  # nosec
 
             for elem in res:
                 if db.db_type == DataBase.MONGO:

IM/VirtualMachine.py

@@ -1135,7 +1135,7 @@ def get_ssh_command(self):
         reverse_opt = "-R %d:localhost:22" % (self.SSH_REVERSE_BASE_PORT + self.creation_im_id)
 
         if ssh.private_key:
-            filename = "/tmp/%s_%s.pem" % (self.inf.id, self.im_id)
+            filename = "/tmp/%s_%s.pem" % (self.inf.id, self.im_id)  # nosec
             command = 'echo "%s" > %s && chmod 400 %s ' % (ssh.private_key, filename, filename)
             command += ('&& ssh -N %s -p %s -i %s -o "UserKnownHostsFile=/dev/null"'
                         ' -o "StrictHostKeyChecking=no" %s@%s &' % (reverse_opt,

IM/config.py

@@ -58,10 +58,10 @@ class Config:
     WAIT_SSH_ACCCESS_TIMEOUT = 300
     WAIT_PUBLIC_IP_TIMEOUT = 90
     XMLRCP_PORT = 8899
-    XMLRCP_ADDRESS = "0.0.0.0"
+    XMLRCP_ADDRESS = "0.0.0.0"  # nosec
     ACTIVATE_REST = True
     REST_PORT = 8800
-    REST_ADDRESS = "0.0.0.0"
+    REST_ADDRESS = "0.0.0.0"  # nosec
     USER_DB = ""
     IM_PATH = os.path.dirname(os.path.realpath(__file__))
     LOG_FILE = '/var/log/im/inf.log'
@@ -85,7 +85,7 @@ class Config:
     VM_INFO_UPDATE_FREQUENCY = 10
     # This value must be always higher than VM_INFO_UPDATE_FREQUENCY
     VM_INFO_UPDATE_ERROR_GRACE_PERIOD = 120
-    REMOTE_CONF_DIR = "/var/tmp/.im"
+    REMOTE_CONF_DIR = "/var/tmp/.im"  # nosec
     MAX_SSH_ERRORS = 5
     PRIVATE_NET_MASKS = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
                          "169.254.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "198.18.0.0/15"]

IM/connectors/Docker.py

@@ -182,15 +182,16 @@ def _generate_create_svc_request_data(self, image_name, outports, vm, ssh_port,
         command += " ; "
         command += "mkdir /var/run/sshd"
         command += " ; "
-        command += "sed -i '/PermitRootLogin/c\PermitRootLogin yes' /etc/ssh/sshd_config"
+        command += "sed -i '/PermitRootLogin/c\\PermitRootLogin yes' /etc/ssh/sshd_config"
         command += " ; "
         command += "rm -f /etc/ssh/ssh_host_rsa_key*"
         command += " ; "
         command += "ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''"
         command += " ; "
         command += "echo 'root:" + self._root_password + "' | chpasswd"
         command += " ; "
-        command += "sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd"
+        command += ("sed 's@session\\s*required\\s*pam_loginuid.so@session " +
+                    "optional pam_loginuid.so@g' -i /etc/pam.d/sshd")
         command += " ; "
         command += " /usr/sbin/sshd -D"
 
@@ -264,7 +265,8 @@ def _generate_create_cont_request_data(self, image_name, outports, vm, ssh_port)
         command += " ; "
         command += "echo 'root:" + self._root_password + "' | chpasswd"
         command += " ; "
-        command += "sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd"
+        command += ("sed 's@session\\s*required\\s*pam_loginuid.so@session" +
+                    " optional pam_loginuid.so@g' -i /etc/pam.d/sshd")
         command += " ; "
         command += " /usr/sbin/sshd -D"
 

IM/connectors/OCCI.py

@@ -229,7 +229,7 @@ def get_net_info(occi_res):
                                 mask) for mask in Config.PRIVATE_NET_MASKS])
                     elif kv[0].strip() == "occi.networkinterface.interface":
                         net_interface = kv[1].strip('"')
-                        num_interface = re.findall('\d+', net_interface)[0]
+                        num_interface = re.findall(r'\d+', net_interface)[0]
                     elif kv[0].strip() == "self":
                         link = kv[1].strip('"')
                 if num_interface and ip_address:

IM/tosca/Tosca.py

@@ -800,7 +800,7 @@ def _gen_configure_from_interfaces(self, node, compute, interfaces):
         variables = ""
         tasks = ""
         recipe_list = []
-        remote_artifacts_path = "/tmp"
+        remote_artifacts_path = "/tmp"  # nosec
         # Take the interfaces in correct order
         for name in ['create', 'pre_configure_source', 'pre_configure_target', 'configure_rel',
                      'configure', 'post_configure_source', 'post_configure_target', 'start',

tox.ini

@@ -19,7 +19,7 @@ commands = python -m coverage run --source=. -m unittest discover -v -s test/uni
 
 [testenv:bandit]
 deps = bandit
-commands = bandit IM -r -f html -o bandit.html -s B108,B601,B608,B507,B104 -ll
+commands = bandit IM -r -ll
 
 [flake8]
 ignore = E402,E265,W605,W504,F811