Bandit security recommendations for Cylc 8 target #2998
Conversation
sync latest changes into my fork
unit tests and tweaks
remove test code block
a bandit suggestion to prevent xmlrpc attacks
# XMLRPC is particularly dangerous as it is also concerned with # communicating data over a network. Use defused.xmlrpc.monkey_patch() # function to monkey-patch xmlrpclib and mitigate remote XML attacks. # https://docs.openstack.org/developer/bandit/blacklists/blacklist_imports.html#b411-import-xmlrpclib
add import of testfixtures to travis
using nosec for test file with only static input
codacy code analysis searches for popen text. It also thinks mockopen is popen
to require a rebuild
change to python2 to prevent bandit ast errors
wrap os.system call and change permissive permissions to 755
to trigger rebuild!
no xrange in python3, space around + sign
There was a problem hiding this comment.
@MartinRyan - this looks pretty good, but can I suggest you revert all changes to lib/jinja2/ (just for this cylc-8 PR, not the 7.8.x one)? We are going to unbundle Jinja2 very soon, so these changes are pretty much pointless and will just create spurious conflicts for the removal PR.
jinja2 will be unbundled soon
|
@matthewrmshin - can you review or reassign at the UK end? |
|
Sorry @MartinRyan this is now conflicted too! At this point we owe you some help with the conflicts if they are non-trivial. @matthewrmshin - can we try to get these PRs done as soon as possible - Martin has suffered long enough! |
|
(OK. On the case. This will be my top priority of the day for Cylc.) |
|
@matthewrmshin - I've resolved the conflicts and pushed to @MartinRyan's branch. Should be good to merge if tests pass again. |
|
(and addressed your comments ... except for the "future PR" one). |
recreation of pull request for the new Cylc 8