Run bandit (#229)

* Run bandit * added bandit requirement
maykinmedia · May 23, 2022 · 3aa9beb · 3aa9beb
1 parent 5602c75
commit 3aa9beb
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 19 deletions.
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -10,7 +10,6 @@ on:
   pull_request:
   workflow_dispatch:
 
-
 jobs:
   isort:
     name: Check import sorting
@@ -28,7 +27,7 @@ jobs:
       - uses: isort/isort-action@v0.1.0
         with:
           requirementsFiles: requirements/dev.txt
-          sortPaths: "src"
+          sortPaths: 'src'
           configuration: '--check-only --diff'
 
   black:
@@ -43,7 +42,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: '3.7'
+          python-version: '3.9'
       - name: Install dependencies
         run: |
           pip install -r requirements/dev.txt
@@ -55,11 +54,30 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout
-      uses: actions/checkout@v2
-    - name: Install dependencies
-      run: |
-        npm install
-    - name: Run Prettier
-      run: |
-        npm run check-linting
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install dependencies
+        run: |
+          npm install
+      - name: Run Prettier
+        run: |
+          npm run check-linting
+  bandit:
+    name: Python security check using Bandit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install libxml
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libxml2-dev libxmlsec1-dev libxmlsec1-openssl
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      - name: Install dependencies
+        run: |
+          pip install -r requirements/dev.txt
+      - name: Run Bandit
+        run: |
+          bandit -r ./src/ -x tests,conf/utils.py -s B101
diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -511,7 +511,6 @@ pyopenssl==21.0.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   -r requirements/test-tools.in
-    #   python3-saml
     #   zgw-consumers
 pyphen==0.12.0
     # via
@@ -551,7 +550,7 @@ python3-openid==3.2.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   django-allauth
-python3_saml @ git+https://github.com/maykinmedia/python3-saml.git@f587f77b78be79d51139f29a957b406072e2b537
+python3-saml==1.14.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
@@ -585,7 +584,6 @@ requests==2.26.0
     #   django-allauth
     #   django-rosetta
     #   gemma-zds-client
-    #   python3-saml
     #   requests-mock
     #   requests-oauthlib
     #   zgw-consumers

diff --git a/requirements/dev.in b/requirements/dev.in
@@ -7,6 +7,7 @@ pip-tools
 black
 isort
 flake8
+bandit
 
 # Debug tooling
 django-debug-toolbar

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -24,6 +24,8 @@ attrs==21.2.0
     #   jsonschema
 babel==2.9.1
     # via sphinx
+bandit==1.7.4
+    # via -r requirements/dev.in
 beautifulsoup4==4.10.0
     # via
     #   -c requirements/ci.txt
@@ -99,7 +101,6 @@ defusedxml==0.7.1
     #   django-digid-eherkenning
     #   odfpy
     #   python3-openid
-    #   python3-saml
 diff-match-patch==20200713
     # via
     #   -c requirements/ci.txt
@@ -415,6 +416,10 @@ geopy==2.2.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+gitdb==4.0.9
+    # via gitpython
+gitpython==3.1.27
+    # via bandit
 glom==20.11.0
     # via
     #   -c requirements/ci.txt
@@ -527,6 +532,8 @@ packaging==21.0
     # via sphinx
 pathspec==0.9.0
     # via black
+pbr==5.9.0
+    # via stevedore
 pep517==0.11.0
     # via pip-tools
 pep8==1.7.1
@@ -590,7 +597,6 @@ pyopenssl==21.0.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
-    #   python3-saml
     #   zgw-consumers
 pyparsing==2.4.7
     # via packaging
@@ -634,7 +640,7 @@ python3-openid==3.2.0
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   django-allauth
-python3_saml @ git+https://github.com/maykinmedia/python3-saml.git@f587f77b78be79d51139f29a957b406072e2b537
+python3-saml==1.14.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
@@ -648,6 +654,7 @@ pyyaml==6.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   bandit
     #   drf-spectacular
     #   gemma-zds-client
     #   tablib
@@ -671,7 +678,6 @@ requests==2.26.0
     #   django-allauth
     #   django-rosetta
     #   gemma-zds-client
-    #   python3-saml
     #   requests-mock
     #   requests-oauthlib
     #   sphinx
@@ -706,6 +712,8 @@ six==1.16.0
     #   python-dateutil
     #   qrcode
     #   requests-mock
+smmap==5.0.0
+    # via gitdb
 snowballstemmer==2.1.0
     # via sphinx
 soupsieve==2.3.1
@@ -737,6 +745,8 @@ sqlparse==0.4.2
     #   -r requirements/ci.txt
     #   django
     #   django-debug-toolbar
+stevedore==3.5.0
+    # via bandit
 tablib[html,ods,xls,xlsx,yaml]==3.1.0
     # via
     #   -c requirements/ci.txt

diff --git a/src/open_inwoner/ckeditor5/views.py b/src/open_inwoner/ckeditor5/views.py
@@ -23,7 +23,7 @@ def post(self, request, **kwargs):
             defaults={"owner": request.user},
             name="ckeditor",
         )
-        sha1 = hashlib.sha1(uploaded_file.read()).hexdigest()
+        sha1 = hashlib.sha1(uploaded_file.read(), usedforsecurity=False).hexdigest()
 
         img, created = Image.objects.get_or_create(
             defaults={
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ pip-tools @@
     black
     isort
     flake8
+    bandit
     # Debug tooling
     django-debug-toolbar
@@ Expand Down @@