ci: add bandit for static security checks
This commit is contained in:
parent
2d7e70eebf
commit
575739d07c
17
.github/workflows/ci.yml
vendored
17
.github/workflows/ci.yml
vendored
|
@ -59,6 +59,23 @@ jobs:
|
|||
run: pip install -U pip pipenv && pipenv install --dev
|
||||
- name: Lint with prospector
|
||||
run: pipenv run prospector
|
||||
bandit:
|
||||
runs-on: [ubuntu-latest]
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
- uses: actions/setup-python@v1
|
||||
with:
|
||||
python-version: '3.7'
|
||||
- uses: actions/cache@v1
|
||||
with:
|
||||
path: ~/.local/share/virtualenvs/
|
||||
key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-pipenv-
|
||||
- name: Install dependencies
|
||||
run: pip install -U pip pipenv && pipenv install --dev
|
||||
- name: Lint with bandit
|
||||
run: pipenv run bandit -r passbook
|
||||
# Actual CI tests
|
||||
migrations:
|
||||
needs:
|
||||
|
|
|
@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None):
|
|||
# gravatar uses md5 for their URLs, so md5 can't be avoided
|
||||
gravatar_url = "%savatar/%s" % (
|
||||
"https://secure.gravatar.com/",
|
||||
md5(email.encode("utf-8")).hexdigest(),
|
||||
) # nosec
|
||||
md5(email.encode("utf-8")).hexdigest(), # nosec
|
||||
)
|
||||
|
||||
parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]]
|
||||
|
||||
|
|
|
@ -13,11 +13,11 @@ class MetricsView(View):
|
|||
def get(self, request: HttpRequest) -> HttpResponse:
|
||||
"""Check for HTTP-Basic auth"""
|
||||
auth_header = request.META.get("HTTP_AUTHORIZATION", "")
|
||||
token_type, _, credentials = auth_header.partition(" ")
|
||||
creds = f"monitor:{settings.SECRET_KEY}"
|
||||
expected = b64encode(str.encode(creds)).decode()
|
||||
auth_type, _, credentials = auth_header.partition(" ")
|
||||
credentials = f"monitor:{settings.SECRET_KEY}"
|
||||
expected = b64encode(str.encode(credentials)).decode()
|
||||
|
||||
if token_type != "Basic" or credentials != expected:
|
||||
if auth_type != "Basic" or credentials != expected:
|
||||
raise Http404
|
||||
|
||||
return ExportToDjangoView(request)
|
||||
|
|
Reference in a new issue