Skip to content

Commit

Permalink
bandit security warning fixes.
Browse files Browse the repository at this point in the history
  • Loading branch information
@nzlosh
nzlosh committed Feb 14, 2025
1 parent 75f14c6 commit 5ee3fe2
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 12 deletions.
36 changes: 28 additions & 8 deletions contrib/packs/tests/test_action_download.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@
import shutil
import tempfile
import hashlib
import sys

# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}

from st2common.util.monkey_patch import use_select_poll_workaround

Expand Down Expand Up @@ -154,7 +158,9 @@ def tearDown(self):
def test_run_pack_download(self):
action = self.get_action_instance()
result = action.run(packs=["test"], abs_repo_base=self.repo_base)
temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
temp_dir = hashlib.md5(
PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest()

self.assertEqual(result, {"test": "Success."})
self.clone_from.assert_called_once_with(
Expand All @@ -175,8 +181,12 @@ def test_run_pack_download_dependencies(self):
abs_repo_base=self.repo_base,
)
temp_dirs = [
hashlib.md5(PACK_INDEX["test2"]["repo_url"].encode()).hexdigest(),
hashlib.md5(PACK_INDEX["test4"]["repo_url"].encode()).hexdigest(),
hashlib.md5(
PACK_INDEX["test2"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest(),
hashlib.md5(
PACK_INDEX["test4"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest(),
]

self.assertEqual(result, {"test2": "Success.", "test4": "Success."})
Expand Down Expand Up @@ -205,8 +215,12 @@ def test_run_pack_download_multiple_packs(self):
action = self.get_action_instance()
result = action.run(packs=["test", "test2"], abs_repo_base=self.repo_base)
temp_dirs = [
hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest(),
hashlib.md5(PACK_INDEX["test2"]["repo_url"].encode()).hexdigest(),
hashlib.md5(
PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest(),
hashlib.md5(
PACK_INDEX["test2"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest(),
]

self.assertEqual(result, {"test": "Success.", "test2": "Success."})
Expand Down Expand Up @@ -243,7 +257,9 @@ def test_run_pack_download_no_tag(self):

def test_run_pack_lock_is_already_acquired(self):
action = self.get_action_instance()
temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
temp_dir = hashlib.md5(
PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest()

original_acquire = LockFile.acquire

Expand Down Expand Up @@ -274,7 +290,9 @@ def mock_acquire(self, timeout=None):
def test_run_pack_lock_is_already_acquired_force_flag(self):
# Lock is already acquired but force is true so it should be deleted and released
action = self.get_action_instance()
temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
temp_dir = hashlib.md5(
PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest()

original_acquire = LockFile.acquire

Expand Down Expand Up @@ -682,7 +700,9 @@ def test_run_pack_download_local_directory(self):
def test_run_pack_download_with_tag(self):
action = self.get_action_instance()
result = action.run(packs=["test"], abs_repo_base=self.repo_base)
temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
temp_dir = hashlib.md5(
PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
).hexdigest()

self.assertEqual(result, {"test": "Success."})
self.clone_from.assert_called_once_with(
Expand Down
6 changes: 5 additions & 1 deletion st2common/st2common/models/db/trace.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@

from __future__ import absolute_import
import hashlib
import sys

# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}

import mongoengine as me

Expand Down Expand Up @@ -107,7 +111,7 @@ def get_uid(self):
parts = []
parts.append(self.RESOURCE_TYPE)

components_hash = hashlib.md5()
components_hash = hashlib.md5(**hashlib_kwargs)
components_hash.update(str(self.trace_tag).encode())
components_hash.update(str(self.trigger_instances).encode())
components_hash.update(str(self.rules).encode())
Expand Down
6 changes: 5 additions & 1 deletion st2common/st2common/models/db/trigger.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@

import json
import hashlib
import sys

# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}

import mongoengine as me

Expand Down Expand Up @@ -116,7 +120,7 @@ def get_uid(self):
# compatibility reasons.
parameters = getattr(self, "parameters", {})
parameters = json.dumps(parameters, sort_keys=True)
parameters = hashlib.md5(parameters.encode()).hexdigest()
parameters = hashlib.md5(parameters.encode(), **hashlib_kwargs).hexdigest()

uid = uid + self.UID_SEPARATOR + parameters
return uid
Expand Down
10 changes: 9 additions & 1 deletion st2common/st2common/util/crypto.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@
import base64

from hashlib import sha1
import sys

# TODO: Move keywords directly to sha1 call as part of dropping py3.8.
hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}

import six

Expand Down Expand Up @@ -70,7 +74,11 @@
# Keyczar related constants
KEYCZAR_HEADER_SIZE = 5
KEYCZAR_AES_BLOCK_SIZE = 16
KEYCZAR_HLEN = sha1().digest_size
# usedforsecurity: False used here because KEYCZAR is deprecated
# inherently insecure and will need to be removed from the code base when
# the cryptography implementation is revised. This is just to keep
# bandit happy.
KEYCZAR_HLEN = sha1(**hashlib_kwargs).digest_size

# Minimum key size which can be used for symmetric crypto
MINIMUM_AES_KEY_SIZE = 128
Expand Down
6 changes: 5 additions & 1 deletion st2common/st2common/util/pack_management.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@
import hashlib
import stat
import re
import sys

# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}

# This test workaround needs to be used before importing git
from st2common.util.monkey_patch import use_select_poll_workaround
Expand Down Expand Up @@ -113,7 +117,7 @@ def download_pack(

result = [pack_url, None, None]

temp_dir_name = hashlib.md5(pack_url.encode()).hexdigest()
temp_dir_name = hashlib.md5(pack_url.encode(), **hashlib_kwargs).hexdigest()
lock_file = LockFile("/tmp/%s" % (temp_dir_name))
lock_file_path = lock_file.lock_file

Expand Down

0 comments on commit 5ee3fe2

Please sign in to comment.