Skip to content
Permalink
Browse files

Fix some bandit findings

* Fix issues in files we deliver and some helper scripts
* Suppress warnings in internal helper scripts and scripts we are about
  to drop soon(TM)

Change-Id: I5e7ad8703a3756eb1cf137f9adec287a421a9023
  • Loading branch information...
LarsMichelsen committed Nov 20, 2018
1 parent 213628b commit f269e109ed804fd508750f13533720615d6d1910
@@ -167,7 +167,8 @@ def file_available(working_dir):
def create_testfile(paths):
path = paths["local_put_path"]
if not os.path.isfile(path):
os.system('echo "This is a test by Check_MK" > %s' % path)
with open(path, "w") as f:
f.write("This is a test by Check_MK\n")


def put_file(paths):
@@ -33,7 +33,8 @@
import datetime
import sys
import time
from ftplib import FTP
# Bandit complains about insecure protocol (B321). THis is the only possible protocol. Allow it.
from ftplib import FTP # nosec

import MySQLdb

@@ -95,7 +96,8 @@ for domain, p in domains.iteritems():
output.append('%s 4' % domain) # Backup nicht konfiguriert
continue

ftp = FTP(
# Bandit complains about insecure protocol (B321). THis is the only possible protocol. Allow it.
ftp = FTP( # nosec
p['backup_ftp_settinghost'],
p['backup_ftp_settinglogin'],
p['backup_ftp_settingpassword'],
@@ -1,6 +1,7 @@
#!/usr/bin/python

import os, sys
import sys
import subprocess

if sys.argv[1] == '--css':
first = "/*-"
@@ -38,7 +39,9 @@ sepmid = sep + '-' * (width - len(sep) - 1) + '+'
title = " ".join(sys.argv[1:])
first_line = first + "-" + title
print first_line + '-' * (width - len(first_line) - 1) + '.'
for line in os.popen("figlet -c -w %d '%s'" % (width - 7, title), "r"):
for line in subprocess.Popen(["figlet", "-c", "-w", "%s" % (width - 7), title],
shell=False,
stdout=subprocess.PIPE).stdout:
line = line[:-1]
print(cont + "|%-" + str(width - len(cont) - 2) + "s|") % line
print sepmid
@@ -167,7 +167,7 @@ def create_pipe():

if not os.path.exists(g_pipe_path):
os.mkfifo(g_pipe_path)
os.chmod(g_pipe_path, 0666)
os.chmod(g_pipe_path, 0660)
log("Created pipe '%s' for receiving commands from nsca" % g_pipe_path)


@@ -148,7 +148,7 @@ def scan_apacheconf(apache_conffile):
apache_conffile = None
apache_confdir = None
httpd_root = ""
for line in os.popen("%s -V 2>&1" % apache_binary):
for line in os.popen("%s -V 2>&1" % apache_binary): # nosec
parts = line.split()
if parts[0] == "-D" and len(parts) > 1:
p = parts[1].split("=")
@@ -229,16 +229,15 @@ def remove_quotes(text):
except:
if opt_debug:
raise
pass

except:
if opt_debug:
raise
apache_confdir = None
nagios_htpasswd_file = None

www_groups = os.popen("id -nG " + wwwuser).read().split()
nagios_groups = os.popen("id -nG " + nagiosuser).read().split()
www_groups = os.popen("id -nG " + wwwuser).read().split() # nosec
nagios_groups = os.popen("id -nG " + nagiosuser).read().split() # nosec
common_groups = [g for g in www_groups if g in nagios_groups]
if len(common_groups) > 1:
if 'nagios' in common_groups:
@@ -447,7 +446,7 @@ def detect_omd():

# Nagios version
result['nagios_version'] = ""
for line in os.popen(result["nagios_binary"] + " --version 2>/dev/null"):
for line in os.popen(result["nagios_binary"] + " --version 2>/dev/null"): # nosec
if line.startswith("Nagios Core") or line.startswith("Icinga Core"):
result['nagios_version'] = line.split()[2]

@@ -504,7 +503,7 @@ def detect_omd():
for stats_name in ["stats", "tats"]:
try:
stats_bin = result['nagios_binary'] + stats_name
for line in os.popen(stats_bin + " 2>/dev/null"):
for line in os.popen(stats_bin + " 2>/dev/null"): # nosec
if line.startswith("Status File:"):
parts = line.split()
nagios_status_file = parts[-1]
@@ -22,7 +22,7 @@ for part in parts:
tarfile = part + ".tar.gz"
filelist = []
filelists[part] = filelist
for fn in os.popen("tar tzf %s" % tarfile, "r"):
for fn in os.popen("tar tzf %s" % tarfile, "r"): # nosec
fn = fn.strip()
if not fn.endswith("/"):
filelist.append(fn)
34 werk
@@ -185,7 +185,7 @@ def change_werk_version(werk_id, new_version):


def git_add(werk):
os.system("git add %d" % werk["id"])
os.system("git add %d" % werk["id"]) # nosec


def git_commit(werk, custom_files):
@@ -204,19 +204,20 @@ def git_commit(werk, custom_files):
files_to_commit.append("%s/%s" % (git_top_level(), entry))

os.chdir(g_base_dir)
os.system(
"git commit %s -m %s" % (" ".join(files_to_commit),
quote_shell_string(title + "\n\n" + werk["description"])))
cmd = "git commit %s -m %s" % (" ".join(files_to_commit),
quote_shell_string(title + "\n\n" + werk["description"]))
os.system(cmd) # nosec

else:
if something_in_git_index():
dash_a = ''
os.system("cd '%s' ; git add .werks" % git_top_level())
os.system("cd '%s' ; git add .werks" % git_top_level()) # nosec
else:
dash_a = '-a'

os.system("git commit %s -m %s" %
(dash_a, quote_shell_string(title + "\n\n" + werk["description"])))
cmd = "git commit %s -m %s" % (dash_a,
quote_shell_string(title + "\n\n" + werk["description"]))
os.system(cmd) # nosec


def git_top_level():
@@ -561,7 +562,7 @@ def get_werk_arg(args):

def main_blame(args):
id = get_werk_arg(args)
os.system("git blame %d" % id)
os.system("git blame %d" % id) # nosec


def main_url(args):
@@ -594,7 +595,7 @@ def main_resolve(args):

def main_delete(args):
for ids in args:
if 0 == os.system("git rm %s" % ids):
if 0 == os.system("git rm %s" % ids): # nosec
sys.stdout.write("Deleted werk %s (%s).\n" % (ids, g_werks[int(ids)]["description"]))


@@ -686,7 +687,7 @@ def edit_werk(werkid, custom_files=[], commit=True):
if not editor:
bail_out("No editor available (please set EDITOR).\n")

if 0 == os.system("bash -c '%s +8 %s'" % (editor, werkid)):
if 0 == os.system("bash -c '%s +8 %s'" % (editor, werkid)): # nosec
load_werks()
werk = g_werks[werkid]
git_add(g_werks[werkid])
@@ -701,8 +702,9 @@ def main_commit(args):
sys.stdout.write("Commiting:\n")
for id in g_modified:
list_werk(g_werks[id])
if 0 == os.system("git commit -m 'Updated werk entries %s' ." % (", ".join(
["#%04d" % id for id in g_modified]))):
cmd = "git commit -m 'Updated werk entries %s' ." % (", ".join(
["#%04d" % id for id in g_modified]))
if 0 == os.system(cmd): # nosec
sys.stdout.write("--> Successfully committed %d werks.\n" % len(g_modified))
else:
bail_out("Cannot commit.")
@@ -723,12 +725,12 @@ def main_pick(args):

def werk_cherry_pick(commit_id, no_commit):
# Cherry-pick the commit in question from the other branch
os.system("git cherry-pick --no-commit '%s'" % commit_id)
os.system("git cherry-pick --no-commit '%s'" % commit_id) # nosec

# Find werks that have been cherry-picked and change their version
# to our current version
load_werks() # might have changed
for line in os.popen("git status --porcelain"):
for line in os.popen("git status --porcelain"): # nosec
# M .werks/103
# M werk
status, filename = line.strip().split(None, 1)
@@ -740,7 +742,7 @@ def werk_cherry_pick(commit_id, no_commit):

# Commit
if not no_commit:
os.system("git commit -C '%s'" % commit_id)
os.system("git commit -C '%s'" % commit_id) # nosec

else:
sys.stdout.write("We don't commit yet. Here is the status:\n")
@@ -808,7 +810,7 @@ def main_fetch_ids(args):
sys.stdout.write(
'Reserved %d additional IDs now. You have %d reserved IDs now.\n' % (num, len(my_ids)))

if 0 == os.system("git commit -m 'Reserved %d Werk IDS' ." % num):
if 0 == os.system("git commit -m 'Reserved %d Werk IDS' ." % num): # nosec
sys.stdout.write("--> Successfully committed reserved werk IDS. Please push it soon!\n")
else:
bail_out("Cannot commit.")

0 comments on commit f269e10

Please sign in to comment.
You can’t perform that action at this time.