jeans/core
jeans/core
1
0
Fork 0
mirror of https://github.com/home-assistant/core.git synced 2025-07-24 21:57:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add bandit, use to catch known vulnerable XML parsing (#28341)

Browse Source 
* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing

* Use defusedxml instead of direct xml.etree to parse XML

* Move config to tests/bandit.yaml
This commit is contained in:
Ville Skyttä 2019-11-18 10:10:15 +02:00 committed by Pascal Vizeli
parent aef808d2bf
commit d4c80f160c
13 changed files with 42 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.pre-commit-config-all.yaml
View File

@ -26,6 +26,15 @@ repos:
- flake8-docstrings==1.5.0 - flake8-docstrings==1.5.0
- pydocstyle==4.0.1 - pydocstyle==4.0.1
files: ^(homeassistant|script|tests)/.+\.py$ files: ^(homeassistant|script|tests)/.+\.py$
- repo: https://github.com/PyCQA/bandit
rev: 1.6.2
hooks:
- id: bandit
args:
- --quiet
- --format=custom
- --configfile=tests/bandit.yaml
files: ^(homeassistant|script|tests)/.+\.py$
# Using a local "system" mypy instead of the mypy hook, because its # Using a local "system" mypy instead of the mypy hook, because its
# results depend on what is installed. And the mypy hook runs in a # results depend on what is installed. And the mypy hook runs in a
# virtualenv of its own, meaning we'd need to install and maintain # virtualenv of its own, meaning we'd need to install and maintain

9
.pre-commit-config.yaml
View File

@ -22,3 +22,12 @@ repos:
- flake8-docstrings==1.5.0 - flake8-docstrings==1.5.0
- pydocstyle==4.0.1 - pydocstyle==4.0.1
files: ^(homeassistant|script|tests)/.+\.py$ files: ^(homeassistant|script|tests)/.+\.py$
- repo: https://github.com/PyCQA/bandit
rev: 1.6.2
hooks:
- id: bandit
args:
- --quiet
- --format=custom
- --configfile=tests/bandit.yaml
files: ^(homeassistant|script|tests)/.+\.py$

4
azure-pipelines-ci.yml
View File

@ -50,6 +50,10 @@ stages:
. venv/bin/activate . venv/bin/activate
pre-commit run flake8 --all-files pre-commit run flake8 --all-files
displayName: 'Run flake8' displayName: 'Run flake8'
- script: |
. venv/bin/activate
pre-commit run bandit --all-files
displayName: 'Run bandit'
- job: 'Validate' - job: 'Validate'
pool: pool:
vmImage: 'ubuntu-latest' vmImage: 'ubuntu-latest'

2
homeassistant/components/ssdp/__init__.py
View File

@ -3,9 +3,9 @@ import asyncio
from datetime import timedelta from datetime import timedelta
import logging import logging
from urllib.parse import urlparse from urllib.parse import urlparse
from xml.etree import ElementTree
import aiohttp import aiohttp
from defusedxml import ElementTree
from netdisco import ssdp, util from netdisco import ssdp, util
from homeassistant.helpers.event import async_track_time_interval from homeassistant.helpers.event import async_track_time_interval

1
homeassistant/components/ssdp/manifest.json
View File

@ -3,6 +3,7 @@
"name": "SSDP", "name": "SSDP",
"documentation": "https://www.home-assistant.io/integrations/ssdp", "documentation": "https://www.home-assistant.io/integrations/ssdp",
"requirements": [ "requirements": [
"defusedxml==0.6.0",
"netdisco==2.6.0" "netdisco==2.6.0"
], ],
"dependencies": [ "dependencies": [

1
homeassistant/package_constraints.txt
View File

@ -9,6 +9,7 @@ bcrypt==3.1.7
certifi>=2019.9.11 certifi>=2019.9.11
contextvars==2.4;python_version<"3.7" contextvars==2.4;python_version<"3.7"
cryptography==2.8 cryptography==2.8
defusedxml==0.6.0
distro==1.4.0 distro==1.4.0
hass-nabucasa==0.29 hass-nabucasa==0.29
home-assistant-frontend==20191115.0 home-assistant-frontend==20191115.0

1
requirements_all.txt
View File

@ -402,6 +402,7 @@ datapoint==0.4.3
# homeassistant.components.ihc # homeassistant.components.ihc
# homeassistant.components.namecheapdns # homeassistant.components.namecheapdns
# homeassistant.components.ohmconnect # homeassistant.components.ohmconnect
# homeassistant.components.ssdp
defusedxml==0.6.0 defusedxml==0.6.0
# homeassistant.components.deluge # homeassistant.components.deluge

1
requirements_test_all.txt
View File

@ -137,6 +137,7 @@ datadog==0.15.0
# homeassistant.components.ihc # homeassistant.components.ihc
# homeassistant.components.namecheapdns # homeassistant.components.namecheapdns
# homeassistant.components.ohmconnect # homeassistant.components.ohmconnect
# homeassistant.components.ssdp
defusedxml==0.6.0 defusedxml==0.6.0
# homeassistant.components.directv # homeassistant.components.directv

1
requirements_test_pre_commit.txt
View File

@ -1,5 +1,6 @@
# Automatically generated from .pre-commit-config-all.yaml by gen_requirements_all.py, do not edit # Automatically generated from .pre-commit-config-all.yaml by gen_requirements_all.py, do not edit
bandit==1.6.2
black==19.10b0 black==19.10b0
flake8-docstrings==1.5.0 flake8-docstrings==1.5.0
flake8==3.7.9 flake8==3.7.9

11
tests/bandit.yaml Normal file
View File

@ -0,0 +1,11 @@
# https://bandit.readthedocs.io/en/latest/config.html
tests:
- B313
- B314
- B315
- B316
- B317
- B318
- B319
- B320

2
tests/components/emulated_hue/test_upnp.py
View File

@ -52,7 +52,7 @@ class TestEmulatedHue(unittest.TestCase):
def test_description_xml(self): def test_description_xml(self):
"""Test the description.""" """Test the description."""
import xml.etree.ElementTree as ET import defusedxml.ElementTree as ET
result = requests.get(BRIDGE_URL_BASE.format("/description.xml"), timeout=5) result = requests.get(BRIDGE_URL_BASE.format("/description.xml"), timeout=5)

2
tests/components/rss_feed_template/test_init.py
View File

@ -1,7 +1,7 @@
"""The tests for the rss_feed_api component.""" """The tests for the rss_feed_api component."""
import asyncio import asyncio
from xml.etree import ElementTree
from defusedxml import ElementTree
import pytest import pytest
from homeassistant.setup import async_setup_component from homeassistant.setup import async_setup_component

1
tox.ini
View File

@ -37,6 +37,7 @@ commands =
python -m script.gen_requirements_all validate python -m script.gen_requirements_all validate
python -m script.hassfest validate python -m script.hassfest validate
pre-commit run flake8 {posargs: --all-files} pre-commit run flake8 {posargs: --all-files}
pre-commit run bandit {posargs: --all-files}
[testenv:typing] [testenv:typing]
deps = deps =