trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

ci: add bandit for static security checks

Browse source
This commit is contained in:
Jens Langhammer 2020-01-02 13:41:49 +01:00
parent 2d7e70eebf
commit 575739d07c
3 changed files with 23 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.github/workflows/ci.yml vendored
View file

@ -59,6 +59,23 @@ jobs:
run: pip install -U pip pipenv && pipenv install --dev run: pip install -U pip pipenv && pipenv install --dev
- name: Lint with prospector - name: Lint with prospector
run: pipenv run prospector run: pipenv run prospector
bandit:
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: '3.7'
- uses: actions/cache@v1
with:
path: ~/.local/share/virtualenvs/
key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
restore-keys: |
${{ runner.os }}-pipenv-
- name: Install dependencies
run: pip install -U pip pipenv && pipenv install --dev
- name: Lint with bandit
run: pipenv run bandit -r passbook
# Actual CI tests # Actual CI tests
migrations: migrations:
needs: needs:

4
passbook/lib/templatetags/utils.py
View file

@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None):
# gravatar uses md5 for their URLs, so md5 can't be avoided # gravatar uses md5 for their URLs, so md5 can't be avoided
gravatar_url = "%savatar/%s" % ( gravatar_url = "%savatar/%s" % (
"https://secure.gravatar.com/", "https://secure.gravatar.com/",
md5(email.encode("utf-8")).hexdigest(), md5(email.encode("utf-8")).hexdigest(), # nosec
) # nosec )
parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]] parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]]

8
passbook/root/monitoring.py
View file

@ -13,11 +13,11 @@ class MetricsView(View):
def get(self, request: HttpRequest) -> HttpResponse: def get(self, request: HttpRequest) -> HttpResponse:
"""Check for HTTP-Basic auth""" """Check for HTTP-Basic auth"""
auth_header = request.META.get("HTTP_AUTHORIZATION", "") auth_header = request.META.get("HTTP_AUTHORIZATION", "")
token_type, _, credentials = auth_header.partition(" ") auth_type, _, credentials = auth_header.partition(" ")
creds = f"monitor:{settings.SECRET_KEY}" credentials = f"monitor:{settings.SECRET_KEY}"
expected = b64encode(str.encode(creds)).decode() expected = b64encode(str.encode(credentials)).decode()
if token_type != "Basic" or credentials != expected: if auth_type != "Basic" or credentials != expected:
raise Http404 raise Http404
return ExportToDjangoView(request) return ExportToDjangoView(request)