From d4c80f160c32d32b20409a5dcfb1ce904ba52cc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@iki.fi>
Date: Mon, 18 Nov 2019 10:10:15 +0200
Subject: [PATCH] Add bandit, use to catch known vulnerable XML parsing
 (#28341)

* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing

* Use defusedxml instead of direct xml.etree to parse XML

* Move config to tests/bandit.yaml
---
 .pre-commit-config-all.yaml                     |  9 +++++++++
 .pre-commit-config.yaml                         |  9 +++++++++
 azure-pipelines-ci.yml                          |  4 ++++
 homeassistant/components/ssdp/__init__.py       |  2 +-
 homeassistant/components/ssdp/manifest.json     |  1 +
 homeassistant/package_constraints.txt           |  1 +
 requirements_all.txt                            |  1 +
 requirements_test_all.txt                       |  1 +
 requirements_test_pre_commit.txt                |  1 +
 tests/bandit.yaml                               | 11 +++++++++++
 tests/components/emulated_hue/test_upnp.py      |  2 +-
 tests/components/rss_feed_template/test_init.py |  2 +-
 tox.ini                                         |  1 +
 13 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 tests/bandit.yaml

diff --git a/.pre-commit-config-all.yaml b/.pre-commit-config-all.yaml
index 3910835ae9d..abc1afbde78 100644
--- a/.pre-commit-config-all.yaml
+++ b/.pre-commit-config-all.yaml
@@ -26,6 +26,15 @@ repos:
           - flake8-docstrings==1.5.0
           - pydocstyle==4.0.1
         files: ^(homeassistant|script|tests)/.+\.py$
+-   repo: https://github.com/PyCQA/bandit
+    rev: 1.6.2
+    hooks:
+      - id: bandit
+        args:
+          - --quiet
+          - --format=custom
+          - --configfile=tests/bandit.yaml
+        files: ^(homeassistant|script|tests)/.+\.py$
 # Using a local "system" mypy instead of the mypy hook, because its
 # results depend on what is installed. And the mypy hook runs in a
 # virtualenv of its own, meaning we'd need to install and maintain
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 3220ac84866..216bac95f29 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -22,3 +22,12 @@ repos:
           - flake8-docstrings==1.5.0
           - pydocstyle==4.0.1
         files: ^(homeassistant|script|tests)/.+\.py$
+-   repo: https://github.com/PyCQA/bandit
+    rev: 1.6.2
+    hooks:
+      - id: bandit
+        args:
+          - --quiet
+          - --format=custom
+          - --configfile=tests/bandit.yaml
+        files: ^(homeassistant|script|tests)/.+\.py$
diff --git a/azure-pipelines-ci.yml b/azure-pipelines-ci.yml
index 37473b92620..ca717ca6546 100644
--- a/azure-pipelines-ci.yml
+++ b/azure-pipelines-ci.yml
@@ -50,6 +50,10 @@ stages:
         . venv/bin/activate
         pre-commit run flake8 --all-files
       displayName: 'Run flake8'
+    - script: |
+        . venv/bin/activate
+        pre-commit run bandit --all-files
+      displayName: 'Run bandit'
   - job: 'Validate'
     pool:
       vmImage: 'ubuntu-latest'
diff --git a/homeassistant/components/ssdp/__init__.py b/homeassistant/components/ssdp/__init__.py
index c4d71e0febd..b9a9d4b46c9 100644
--- a/homeassistant/components/ssdp/__init__.py
+++ b/homeassistant/components/ssdp/__init__.py
@@ -3,9 +3,9 @@ import asyncio
 from datetime import timedelta
 import logging
 from urllib.parse import urlparse
-from xml.etree import ElementTree
 
 import aiohttp
+from defusedxml import ElementTree
 from netdisco import ssdp, util
 
 from homeassistant.helpers.event import async_track_time_interval
diff --git a/homeassistant/components/ssdp/manifest.json b/homeassistant/components/ssdp/manifest.json
index 1c3d56fe7fe..1a6bfa36233 100644
--- a/homeassistant/components/ssdp/manifest.json
+++ b/homeassistant/components/ssdp/manifest.json
@@ -3,6 +3,7 @@
   "name": "SSDP",
   "documentation": "https://www.home-assistant.io/integrations/ssdp",
   "requirements": [
+    "defusedxml==0.6.0",
     "netdisco==2.6.0"
   ],
   "dependencies": [
diff --git a/homeassistant/package_constraints.txt b/homeassistant/package_constraints.txt
index 72605a3475e..5e266f141ca 100644
--- a/homeassistant/package_constraints.txt
+++ b/homeassistant/package_constraints.txt
@@ -9,6 +9,7 @@ bcrypt==3.1.7
 certifi>=2019.9.11
 contextvars==2.4;python_version<"3.7"
 cryptography==2.8
+defusedxml==0.6.0
 distro==1.4.0
 hass-nabucasa==0.29
 home-assistant-frontend==20191115.0
diff --git a/requirements_all.txt b/requirements_all.txt
index d80cfc27930..aea3aa8c9ab 100644
--- a/requirements_all.txt
+++ b/requirements_all.txt
@@ -402,6 +402,7 @@ datapoint==0.4.3
 # homeassistant.components.ihc
 # homeassistant.components.namecheapdns
 # homeassistant.components.ohmconnect
+# homeassistant.components.ssdp
 defusedxml==0.6.0
 
 # homeassistant.components.deluge
diff --git a/requirements_test_all.txt b/requirements_test_all.txt
index 3870f200c2d..e7be01c8297 100644
--- a/requirements_test_all.txt
+++ b/requirements_test_all.txt
@@ -137,6 +137,7 @@ datadog==0.15.0
 # homeassistant.components.ihc
 # homeassistant.components.namecheapdns
 # homeassistant.components.ohmconnect
+# homeassistant.components.ssdp
 defusedxml==0.6.0
 
 # homeassistant.components.directv
diff --git a/requirements_test_pre_commit.txt b/requirements_test_pre_commit.txt
index 29380ca7cd2..3f4d05a4908 100644
--- a/requirements_test_pre_commit.txt
+++ b/requirements_test_pre_commit.txt
@@ -1,5 +1,6 @@
 # Automatically generated from .pre-commit-config-all.yaml by gen_requirements_all.py, do not edit
 
+bandit==1.6.2
 black==19.10b0
 flake8-docstrings==1.5.0
 flake8==3.7.9
diff --git a/tests/bandit.yaml b/tests/bandit.yaml
new file mode 100644
index 00000000000..79812cba56f
--- /dev/null
+++ b/tests/bandit.yaml
@@ -0,0 +1,11 @@
+# https://bandit.readthedocs.io/en/latest/config.html
+
+tests:
+  - B313
+  - B314
+  - B315
+  - B316
+  - B317
+  - B318
+  - B319
+  - B320
diff --git a/tests/components/emulated_hue/test_upnp.py b/tests/components/emulated_hue/test_upnp.py
index 44f72ba017b..ead78ad56ca 100644
--- a/tests/components/emulated_hue/test_upnp.py
+++ b/tests/components/emulated_hue/test_upnp.py
@@ -52,7 +52,7 @@ class TestEmulatedHue(unittest.TestCase):
 
     def test_description_xml(self):
         """Test the description."""
-        import xml.etree.ElementTree as ET
+        import defusedxml.ElementTree as ET
 
         result = requests.get(BRIDGE_URL_BASE.format("/description.xml"), timeout=5)
 
diff --git a/tests/components/rss_feed_template/test_init.py b/tests/components/rss_feed_template/test_init.py
index 294d84987b2..b07cc8aa9b3 100644
--- a/tests/components/rss_feed_template/test_init.py
+++ b/tests/components/rss_feed_template/test_init.py
@@ -1,7 +1,7 @@
 """The tests for the rss_feed_api component."""
 import asyncio
-from xml.etree import ElementTree
 
+from defusedxml import ElementTree
 import pytest
 
 from homeassistant.setup import async_setup_component
diff --git a/tox.ini b/tox.ini
index dc2a9f79b90..17253e1d1e1 100644
--- a/tox.ini
+++ b/tox.ini
@@ -37,6 +37,7 @@ commands =
     python -m script.gen_requirements_all validate
     python -m script.hassfest validate
     pre-commit run flake8 {posargs: --all-files}
+    pre-commit run bandit {posargs: --all-files}
 
 [testenv:typing]
 deps =