jasima/majuna
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: fix all bandit issues

Browse source
This commit is contained in:
Iain Learmonth 2022-05-16 12:47:40 +01:00
parent c25367d95c
commit 014596d271
5 changed files with 31 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
app/alarms.py
View file

@ -42,5 +42,7 @@ def _get_alarm(target: str,
def get_proxy_alarm(proxy_id: int, alarm_type: str) -> Alarm: def get_proxy_alarm(proxy_id: int, alarm_type: str) -> Alarm:
alarm = _get_alarm("proxy", alarm_type, proxy_id=proxy_id) alarm = _get_alarm("proxy", alarm_type, proxy_id=proxy_id)
assert(alarm is not None) if alarm is None:
# mypy can't tell that this will never be reached
raise RuntimeError("Creating an alarm must have failed.")
return alarm return alarm

4
app/terraform/proxy/__init__.py
View file

@ -72,8 +72,10 @@ class ProxyAutomation(TerraformAutomation):
proxy.origin_id = origin.id proxy.origin_id = origin.id
proxy.provider = self.provider proxy.provider = self.provider
proxy.psg = subgroup proxy.psg = subgroup
# The random usage below is good enough for its purpose: to create a slug that
# hasn't been used before.
proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join( proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join(
random.choices(string.ascii_lowercase, k=12)) random.choices(string.ascii_lowercase, k=12)) # nosec
proxy.added = datetime.datetime.utcnow() proxy.added = datetime.datetime.utcnow()
proxy.updated = datetime.datetime.utcnow() proxy.updated = datetime.datetime.utcnow()
db.session.add(proxy) db.session.add(proxy)

3
app/terraform/proxy/cloudfront.py
View file

@ -74,7 +74,8 @@ class ProxyCloudfrontAutomation(ProxyAutomation):
""" """
def import_state(self, state: Any) -> None: def import_state(self, state: Any) -> None:
assert(isinstance(state, dict)) if not isinstance(dict, state):
raise RuntimeError("The Terraform state object returned was not a dict.")
if "child_modules" not in state['values']['root_module']: if "child_modules" not in state['values']['root_module']:
# There are no CloudFront proxies deployed to import state for # There are no CloudFront proxies deployed to import state for
return return

6
app/terraform/proxy/fastly.py
View file

@ -3,8 +3,8 @@
import datetime import datetime
import os import os
import string
import random import random
import string
import jinja2 import jinja2
import tldextract import tldextract
@ -97,8 +97,10 @@ def create_missing_proxies():
proxy = Proxy() proxy = Proxy()
proxy.origin_id = origin.id proxy.origin_id = origin.id
proxy.provider = "fastly" proxy.provider = "fastly"
# The random usage below is good enough for its purpose: to create a slug that
# hasn't been used before.
proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join( proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join(
random.choices(string.ascii_lowercase, k=random.randint(5, 10))) random.choices(string.ascii_lowercase, 12)) # nosec
proxy.added = datetime.datetime.utcnow() proxy.added = datetime.datetime.utcnow()
proxy.updated = datetime.datetime.utcnow() proxy.updated = datetime.datetime.utcnow()
db.session.add(proxy) db.session.add(proxy)

27
app/terraform/terraform.py
View file

@ -1,7 +1,7 @@
import json import json
import subprocess import subprocess # nosec
from abc import abstractmethod from abc import abstractmethod
from typing import Any, Dict, List, Optional, Tuple from typing import Any, Optional, Tuple
import jinja2 import jinja2
@ -54,7 +54,10 @@ class TerraformAutomation(BaseAutomation):
lock_timeout: int = 15) -> Tuple[int, str]: lock_timeout: int = 15) -> Tuple[int, str]:
if not parallelism: if not parallelism:
parallelism = self.parallelism parallelism = self.parallelism
tf = subprocess.run( # The following subprocess call takes external input, but is providing
# the argument list as an array such that argument injection would be
# ineffective.
tf = subprocess.run( # nosec
['terraform', ['terraform',
'apply', 'apply',
'-auto-approve', '-auto-approve',
@ -73,8 +76,11 @@ class TerraformAutomation(BaseAutomation):
def tf_init(self, *, def tf_init(self, *,
lock_timeout: int = 15) -> None: lock_timeout: int = 15) -> None:
# The init command does not support JSON output # The init command does not support JSON output.
subprocess.run( # The following subprocess call takes external input, but is providing
# the argument list as an array such that argument injection would be
# ineffective.
subprocess.run( # nosec
['terraform', ['terraform',
'init', 'init',
f'-lock-timeout={str(lock_timeout)}m', f'-lock-timeout={str(lock_timeout)}m',
@ -82,7 +88,8 @@ class TerraformAutomation(BaseAutomation):
cwd=self.working_directory()) cwd=self.working_directory())
def tf_output(self) -> Any: def tf_output(self) -> Any:
tf = subprocess.run( # The following subprocess call does not take any user input.
tf = subprocess.run( # nosec
['terraform', 'output', '-json'], ['terraform', 'output', '-json'],
cwd=self.working_directory(), cwd=self.working_directory(),
stdout=subprocess.PIPE) stdout=subprocess.PIPE)
@ -92,7 +99,10 @@ class TerraformAutomation(BaseAutomation):
refresh: bool = True, refresh: bool = True,
parallelism: Optional[int] = None, parallelism: Optional[int] = None,
lock_timeout: int = 15) -> Tuple[int, str]: lock_timeout: int = 15) -> Tuple[int, str]:
tf = subprocess.run( # The following subprocess call takes external input, but is providing
# the argument list as an array such that argument injection would be
# ineffective.
tf = subprocess.run( # nosec
['terraform', ['terraform',
'plan', 'plan',
'-json', '-json',
@ -128,7 +138,8 @@ class TerraformAutomation(BaseAutomation):
pass pass
def tf_show(self) -> Any: def tf_show(self) -> Any:
terraform = subprocess.run( # This subprocess call doesn't take any user input.
terraform = subprocess.run( # nosec
['terraform', 'show', '-json'], ['terraform', 'show', '-json'],
cwd=self.working_directory(), cwd=self.working_directory(),
stdout=subprocess.PIPE) stdout=subprocess.PIPE)