security: fix all bandit issues

2022-05-16 12:47:40 +01:00 · 2022-05-16 12:47:40 +01:00 · 014596d271
commit 014596d271
parent c25367d95c
5 changed files with 31 additions and 13 deletions
--- a/app/terraform/terraform.py
+++ b/app/terraform/terraform.py
@ -1,7 +1,7 @@
 import json
-import subprocess
+import subprocess  # nosec
 from abc import abstractmethod
-from typing import Any, Dict, List, Optional, Tuple
+from typing import Any, Optional, Tuple

 import jinja2

@ -54,7 +54,10 @@ class TerraformAutomation(BaseAutomation):
                 lock_timeout: int = 15) -> Tuple[int, str]:
        if not parallelism:
            parallelism = self.parallelism
-        tf = subprocess.run(
+        # The following subprocess call takes external input, but is providing
+        # the argument list as an array such that argument injection would be
+        # ineffective.
+        tf = subprocess.run(  # nosec
            ['terraform',
             'apply',
             '-auto-approve',
@ -73,8 +76,11 @@ class TerraformAutomation(BaseAutomation):

    def tf_init(self, *,
                lock_timeout: int = 15) -> None:
-        # The init command does not support JSON output
-        subprocess.run(
+        # The init command does not support JSON output.
+        # The following subprocess call takes external input, but is providing
+        # the argument list as an array such that argument injection would be
+        # ineffective.
+        subprocess.run(  # nosec
            ['terraform',
             'init',
             f'-lock-timeout={str(lock_timeout)}m',
@ -82,7 +88,8 @@ class TerraformAutomation(BaseAutomation):
            cwd=self.working_directory())

    def tf_output(self) -> Any:
-        tf = subprocess.run(
+        # The following subprocess call does not take any user input.
+        tf = subprocess.run(  # nosec
            ['terraform', 'output', '-json'],
            cwd=self.working_directory(),
            stdout=subprocess.PIPE)
@ -92,7 +99,10 @@ class TerraformAutomation(BaseAutomation):
                refresh: bool = True,
                parallelism: Optional[int] = None,
                lock_timeout: int = 15) -> Tuple[int, str]:
-        tf = subprocess.run(
+        # The following subprocess call takes external input, but is providing
+        # the argument list as an array such that argument injection would be
+        # ineffective.
+        tf = subprocess.run(  # nosec
            ['terraform',
             'plan',
             '-json',
@ -128,7 +138,8 @@ class TerraformAutomation(BaseAutomation):
        pass

    def tf_show(self) -> Any:
-        terraform = subprocess.run(
+        # This subprocess call doesn't take any user input.
+        terraform = subprocess.run(  # nosec
            ['terraform', 'show', '-json'],
            cwd=self.working_directory(),
            stdout=subprocess.PIPE)