Use Bandit for security checking

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

fedora_messaging/schema_utils.py

@@ -19,7 +19,7 @@
 """
 
 import collections
-from hashlib import sha256, md5
+from hashlib import sha256
 
 from six.moves.urllib import parse
 
@@ -64,9 +64,10 @@ def libravatar_url(email=None, openid=None, size=64, default="retro"):
     params = collections.OrderedDict([("s", size), ("d", default)])
     query = parse.urlencode(params)
     if email:
-        idhash = md5(email.encode("utf-8")).hexdigest()
+        value = email
     elif openid:
-        idhash = sha256(openid.encode("utf-8")).hexdigest()
+        value = openid
     else:
         raise ValueError("You must provide either the email or the openid.")
+    idhash = sha256(value.encode("utf-8")).hexdigest()
     return "https://seccdn.libravatar.org/avatar/%s?%s" % (idhash, query)

fedora_messaging/tests/unit/test_schema_utils.py

@@ -56,7 +56,7 @@ def test_openid(self):
     def test_email(self):
         expected = (
             "https://seccdn.libravatar.org/avatar/"
-            "5d9c68c6c50ed3d02a2fcf54f63993b6"
+            "ae5deb822e0d71992900471a7199d0d95b8e7c9d05c40a8245a281fd2c1d6684"
             "?s=64&d=retro"
         )
         assert schema_utils.libravatar_url(email="testuser") == expected

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = lint,format,licenses,{py27,py34,py35,py36,py37}-pika{012,1}-{unittest,integration}
+envlist = lint,format,licenses,bandit,{py27,py34,py35,py36,py37}-pika{012,1}-{unittest,integration}
 
 [testenv]
 passenv = CI TRAVIS TRAVIS_*
@@ -45,6 +45,12 @@ deps =
 commands =
     liccheck -s .license_strategy.ini
 
+[testenv:bandit]
+deps = bandit
+commands =
+    bandit -r fedora_messaging/ -x fedora_messaging/tests/ -ll
+
+
 [flake8]
 show-source = True
 max-line-length = 100