ci: add bandit for static security checks

2020-01-02 13:41:49 +01:00 · 2020-01-02 13:41:49 +01:00 · 575739d07c
parent 2d7e70eebf
commit 575739d07c
3 changed files with 23 additions and 6 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -59,6 +59,23 @@ jobs:
        run: pip install -U pip pipenv && pipenv install --dev
      - name: Lint with prospector
        run: pipenv run prospector
+  bandit:
+    runs-on: [ubuntu-latest]
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.7'
+      - uses: actions/cache@v1
+        with:
+          path: ~/.local/share/virtualenvs/
+          key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-pipenv-
+      - name: Install dependencies
+        run: pip install -U pip pipenv && pipenv install --dev
+      - name: Lint with bandit
+        run: pipenv run bandit -r passbook
  # Actual CI tests
  migrations:
    needs:
--- a/passbook/lib/templatetags/utils.py
+++ b/passbook/lib/templatetags/utils.py
@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None):
    # gravatar uses md5 for their URLs, so md5 can't be avoided
    gravatar_url = "%savatar/%s" % (
        "https://secure.gravatar.com/",
-        md5(email.encode("utf-8")).hexdigest(),
-    )  # nosec
+        md5(email.encode("utf-8")).hexdigest(),  # nosec
+    )

    parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]]

--- a/passbook/root/monitoring.py
+++ b/passbook/root/monitoring.py
@ -13,11 +13,11 @@ class MetricsView(View):
    def get(self, request: HttpRequest) -> HttpResponse:
        """Check for HTTP-Basic auth"""
        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
-        token_type, _, credentials = auth_header.partition(" ")
-        creds = f"monitor:{settings.SECRET_KEY}"
-        expected = b64encode(str.encode(creds)).decode()
+        auth_type, _, credentials = auth_header.partition(" ")
+        credentials = f"monitor:{settings.SECRET_KEY}"
+        expected = b64encode(str.encode(credentials)).decode()

-        if token_type != "Basic" or credentials != expected:
+        if auth_type != "Basic" or credentials != expected:
            raise Http404

        return ExportToDjangoView(request)