ci: add bandit for static security checks

This commit is contained in:
Jens Langhammer 2020-01-02 13:41:49 +01:00
parent 2d7e70eebf
commit 575739d07c
3 changed files with 23 additions and 6 deletions

View file

@ -59,6 +59,23 @@ jobs:
run: pip install -U pip pipenv && pipenv install --dev
- name: Lint with prospector
run: pipenv run prospector
bandit:
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: '3.7'
- uses: actions/cache@v1
with:
path: ~/.local/share/virtualenvs/
key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
restore-keys: |
${{ runner.os }}-pipenv-
- name: Install dependencies
run: pip install -U pip pipenv && pipenv install --dev
- name: Lint with bandit
run: pipenv run bandit -r passbook
# Actual CI tests
migrations:
needs:

View file

@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None):
# gravatar uses md5 for their URLs, so md5 can't be avoided
gravatar_url = "%savatar/%s" % (
"https://secure.gravatar.com/",
md5(email.encode("utf-8")).hexdigest(),
) # nosec
md5(email.encode("utf-8")).hexdigest(), # nosec
)
parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]]

View file

@ -13,11 +13,11 @@ class MetricsView(View):
def get(self, request: HttpRequest) -> HttpResponse:
"""Check for HTTP-Basic auth"""
auth_header = request.META.get("HTTP_AUTHORIZATION", "")
token_type, _, credentials = auth_header.partition(" ")
creds = f"monitor:{settings.SECRET_KEY}"
expected = b64encode(str.encode(creds)).decode()
auth_type, _, credentials = auth_header.partition(" ")
credentials = f"monitor:{settings.SECRET_KEY}"
expected = b64encode(str.encode(credentials)).decode()
if token_type != "Basic" or credentials != expected:
if auth_type != "Basic" or credentials != expected:
raise Http404
return ExportToDjangoView(request)