CI: Add semgrep (#143)

release-engineering · Mar 20, 2023 · 100aa00 · 100aa00
1 parent 2f4033c
commit 100aa00
Show file tree

Hide file tree

Showing 14 changed files with 114 additions and 79 deletions.
diff --git a/.github/workflows/gating.yaml b/.github/workflows/gating.yaml
@@ -68,6 +68,7 @@ jobs:
           - bandit
           - lint
           - mypy
+          - semgrep
 
     runs-on: ubuntu-latest
 

diff --git a/functional-tests/conftest.py b/functional-tests/conftest.py
@@ -40,8 +40,8 @@ def drop_and_create_database(dbname):
     engine = create_engine('postgresql+psycopg2:///template1')
     with engine.connect() as connection:
         connection.execution_options(isolation_level='AUTOCOMMIT')
-        connection.execute('DROP DATABASE IF EXISTS {}'.format(dbname))
-        connection.execute('CREATE DATABASE {}'.format(dbname))
+        connection.execute('DROP DATABASE IF EXISTS :db', db=dbname)
+        connection.execute('CREATE DATABASE :db', db=dbname)
     engine.dispose()
 
 

diff --git a/functional-tests/test_cache.py b/functional-tests/test_cache.py
@@ -2,11 +2,11 @@
 
 from dogpile.cache import make_region
 
-from greenwave.utils import sha1_mangle_key
+from greenwave.utils import mangle_key
 
 
 def test_cache():
-    cache = make_region(key_mangler=sha1_mangle_key)
+    cache = make_region(key_mangler=mangle_key)
     cache.configure(
         backend='dogpile.cache.pymemcache',
         expiration_time=5,

diff --git a/greenwave/app_factory.py b/greenwave/app_factory.py
@@ -5,7 +5,7 @@
 
 from flask import Flask
 from greenwave.api_v1 import api
-from greenwave.utils import json_error, load_config, sha1_mangle_key
+from greenwave.utils import json_error, load_config, mangle_key
 from greenwave.policies import load_policies
 from greenwave.subjects.subject_type import load_subject_types
 
@@ -53,7 +53,7 @@ def create_app(config_obj=None):
     app.add_url_rule('/healthcheck', view_func=healthcheck)
 
     # Initialize the cache.
-    app.cache = make_region(key_mangler=sha1_mangle_key)
+    app.cache = make_region(key_mangler=mangle_key)
     app.cache.configure(**app.config['CACHE'])
 
     return app

diff --git a/greenwave/policies.py b/greenwave/policies.py
@@ -5,11 +5,13 @@
 import logging
 import os
 import re
-import greenwave.resources
-import xmlrpc.client
 from typing import Optional
+
+from defusedxml.xmlrpc import xmlrpc_client
 from werkzeug.exceptions import BadRequest, NotFound
 from flask import current_app
+
+import greenwave.resources
 from greenwave.safe_yaml import (
     SafeYAMLBool,
     SafeYAMLDateTime,
@@ -598,7 +600,7 @@ def _get_sub_policies(self, policy, subject):
         except NotFound:
             error = f'Koji build not found for {subject}'
             return [], [FailedFetchRemoteRuleYaml(subject, remote_policies_urls, error)]
-        except xmlrpc.client.Fault as err:
+        except xmlrpc_client.Fault as err:
             logging.exception('Unexpected Koji XMLRPC fault with code: %s', err.faultCode)
             error = f'Koji XMLRPC fault due to: \'{err.faultString}\''
             return [], [FailedFetchRemoteRuleYaml(subject, remote_policies_urls, error)]

diff --git a/greenwave/product_versions.py b/greenwave/product_versions.py
@@ -6,8 +6,8 @@
 import logging
 import re
 import socket
-import xmlrpc.client
 
+from defusedxml.xmlrpc import xmlrpc_client
 from werkzeug.exceptions import NotFound
 
 from greenwave.resources import (
@@ -68,9 +68,9 @@ def _guess_koji_build_product_version(
             return _guess_product_version(target, koji_build=True)
 
         return None
-    except (xmlrpc.client.ProtocolError, socket.error) as err:
+    except (xmlrpc_client.ProtocolError, socket.error) as err:
         raise ConnectionError('Could not reach Koji: {}'.format(err))
-    except xmlrpc.client.Fault:
+    except xmlrpc_client.Fault:
         log.exception('Unexpected Koji XML RPC fault')
 
 

diff --git a/greenwave/resources.py b/greenwave/resources.py
@@ -15,8 +15,8 @@
 
 from dateutil import tz
 from dateutil.parser import parse
+from defusedxml.xmlrpc import xmlrpc_client
 from urllib.parse import urlparse
-import xmlrpc.client
 from flask import current_app
 from werkzeug.exceptions import BadGateway, NotFound
 
@@ -234,7 +234,7 @@ def retrieve_scm_from_koji(nvr: str):
     koji_url = current_app.config["KOJI_BASE_URL"]
     try:
         source = retrieve_koji_build_source(nvr, koji_url)
-    except (xmlrpc.client.ProtocolError, socket.error) as err:
+    except (xmlrpc_client.ProtocolError, socket.error) as err:
         raise ConnectionError("Could not reach Koji: {}".format(err))
     return retrieve_scm_from_koji_build(nvr, source, koji_url)
 

diff --git a/greenwave/tests/test_rules.py b/greenwave/tests/test_rules.py
@@ -3,6 +3,7 @@
 
 from textwrap import dedent
 
+from defusedxml.xmlrpc import xmlrpc_client
 from werkzeug.exceptions import NotFound
 
 from greenwave.app_factory import create_app
@@ -11,7 +12,6 @@
 from greenwave.resources import NoSourceException
 from greenwave.safe_yaml import SafeYAMLError
 from greenwave.subjects.factory import create_subject
-import xmlrpc.client
 
 
 def test_match_passing_test_case_rule():
@@ -87,7 +87,7 @@ def test_invalid_nvr_iden(mock_retrieve_scm_from_koji, mock_retrieve_yaml_remote
           - !RemoteRule {}
     """)
     nvr = 'nieco'
-    mock_retrieve_scm_from_koji.side_effect = xmlrpc.client.Fault(1000, nvr)
+    mock_retrieve_scm_from_koji.side_effect = xmlrpc_client.Fault(1000, nvr)
 
     app = create_app('greenwave.config.TestingConfig')
     with app.app_context():

diff --git a/greenwave/utils.py b/greenwave/utils.py
@@ -127,13 +127,13 @@ def insert_headers(response):
     return response
 
 
-def sha1_mangle_key(key):
+def mangle_key(key):
     """
     Like dogpile.cache.util.sha1_mangle_key, but works correctly on
     Python 3 with str keys (which must be encoded to bytes before passing them
     to hashlib.sha1()).
     """
-    return hashlib.sha1(key.encode('utf-8')).hexdigest()  # nosec
+    return hashlib.sha256(key.encode('utf-8')).hexdigest()
 
 
 def add_to_timestamp(timestamp, **kwargs):

diff --git a/greenwave/xmlrpc_server_proxy.py b/greenwave/xmlrpc_server_proxy.py
@@ -1,15 +1,16 @@
 # -*- coding: utf-8 -*-
 # SPDX-License-Identifier: GPL-2.0+
 """
-Provides an "xmlrpc.client.ServerProxy" object with a timeout on the socket.
+Provides an "xmlrpc_client.ServerProxy" object with a timeout on the socket.
 """
 import urllib.parse
-import xmlrpc.client
+
+from defusedxml.xmlrpc import xmlrpc_client
 
 
 def get_server_proxy(uri, timeout):
     """
-    Create an :py:class:`xmlrpc.client.ServerProxy` instance with a socket timeout.
+    Create an :py:class:`xmlrpc_client.ServerProxy` instance with a socket timeout.
 
     This is a workaround for https://bugs.python.org/issue14134.
 
@@ -18,7 +19,7 @@ def get_server_proxy(uri, timeout):
         timeout (int): The timeout to set on the transport socket.
 
     Returns:
-        xmlrpc.client.ServerProxy: An instance of :py:class:`xmlrpc.client.ServerProxy` with
+        xmlrpc_client.ServerProxy: An instance of :py:class:`xmlrpc_client.ServerProxy` with
             a socket timeout set.
     """
     parsed_uri = urllib.parse.urlparse(uri)
@@ -27,10 +28,10 @@ def get_server_proxy(uri, timeout):
     else:
         transport = Transport(timeout=timeout)
 
-    return xmlrpc.client.ServerProxy(uri, transport=transport, allow_none=True)
+    return xmlrpc_client.ServerProxy(uri, transport=transport, allow_none=True)
 
 
-class Transport(xmlrpc.client.Transport):
+class Transport(xmlrpc_client.Transport):
     def __init__(self, *args, timeout=None, **kwargs):  # pragma: no cover
         super().__init__(*args, **kwargs)
         self._timeout = timeout
@@ -41,7 +42,7 @@ def make_connection(self, host):  # pragma: no cover
         return connection
 
 
-class SafeTransport(xmlrpc.client.SafeTransport):
+class SafeTransport(xmlrpc_client.SafeTransport):
     def __init__(self, *args, timeout=None, **kwargs):  # pragma: no cover
         super().__init__(*args, **kwargs)
         self._timeout = timeout

diff --git a/openshift/greenwave-test-template.yaml b/openshift/greenwave-test-template.yaml
@@ -140,6 +140,10 @@ objects:
           resources:
             limits:
               memory: 384Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+        securityContext:
+          runAsNonRoot: true
     triggers:
     - type: ConfigChange
 - apiVersion: v1
@@ -208,13 +212,17 @@ objects:
           resources:
             limits:
               memory: 384Mi
+          securityContext:
+            allowPrivilegeEscalation: false
         volumes:
         - name: policies-volume
           configMap:
             name: "greenwave-test-${TEST_ID}-policies"
         - name: config-volume
           secret:
             secretName: "greenwave-test-${TEST_ID}-config"
+        securityContext:
+          runAsNonRoot: true
     triggers:
     - type: ConfigChange
 - apiVersion: v1