From 575739d07cb0e7156b0301666f296bc968b20269 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 2 Jan 2020 13:41:49 +0100
Subject: [PATCH] ci: add bandit for static security checks

---
 .github/workflows/ci.yml           | 17 +++++++++++++++++
 passbook/lib/templatetags/utils.py |  4 ++--
 passbook/root/monitoring.py        |  8 ++++----
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 837b6e01a..625cf94c2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,6 +59,23 @@ jobs:
         run: pip install -U pip pipenv && pipenv install --dev
       - name: Lint with prospector
         run: pipenv run prospector
+  bandit:
+    runs-on: [ubuntu-latest]
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.7'
+      - uses: actions/cache@v1
+        with:
+          path: ~/.local/share/virtualenvs/
+          key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-pipenv-
+      - name: Install dependencies
+        run: pip install -U pip pipenv && pipenv install --dev
+      - name: Lint with bandit
+        run: pipenv run bandit -r passbook
   # Actual CI tests
   migrations:
     needs:
diff --git a/passbook/lib/templatetags/utils.py b/passbook/lib/templatetags/utils.py
index f472f431a..43ce5dd95 100644
--- a/passbook/lib/templatetags/utils.py
+++ b/passbook/lib/templatetags/utils.py
@@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None):
     # gravatar uses md5 for their URLs, so md5 can't be avoided
     gravatar_url = "%savatar/%s" % (
         "https://secure.gravatar.com/",
-        md5(email.encode("utf-8")).hexdigest(),
-    )  # nosec
+        md5(email.encode("utf-8")).hexdigest(),  # nosec
+    )
 
     parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]]
 
diff --git a/passbook/root/monitoring.py b/passbook/root/monitoring.py
index 33ffc0fca..ff9c65a84 100644
--- a/passbook/root/monitoring.py
+++ b/passbook/root/monitoring.py
@@ -13,11 +13,11 @@ class MetricsView(View):
     def get(self, request: HttpRequest) -> HttpResponse:
         """Check for HTTP-Basic auth"""
         auth_header = request.META.get("HTTP_AUTHORIZATION", "")
-        token_type, _, credentials = auth_header.partition(" ")
-        creds = f"monitor:{settings.SECRET_KEY}"
-        expected = b64encode(str.encode(creds)).decode()
+        auth_type, _, credentials = auth_header.partition(" ")
+        credentials = f"monitor:{settings.SECRET_KEY}"
+        expected = b64encode(str.encode(credentials)).decode()
 
-        if token_type != "Basic" or credentials != expected:
+        if auth_type != "Basic" or credentials != expected:
             raise Http404
 
         return ExportToDjangoView(request)