-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bandit static security code analysis: fix findings and add bandit to github actions #1820
Comments
IMO these functions are used to generate unique names, so the addition |
Found following comment in send_file.py:
I tested the download of different content-types including tgz and zip with binary files inside but did not get any exception. |
The module
|
A test with
gravatar.com recommends to use sha256 for hashing, see https://docs.gravatar.com/api/avatars/python/ Following email addresses can be used for testing: [email protected], [email protected], [email protected] |
The module utils/profile.py seems to be for development purpose only. The critical statement is a Linux command. I never used this module. Can we remove it? |
|
The last 2 bandit findings are related to sistersites:
The code belongs to moin/src/moin/themes/__init__.py Lines 491 to 520 in 5c5732b
I didn't find any documentation about sistersites in RTD. According to the code a web page of a sister wiki with URLs is read and the links are added to the navibar. Not sure if anybody uses it. This might give security problems if someone is able to update the configured sistersite page. BTW the code above seems to be incomplete in the handling of an OSError. I need some advise. Can we remove this part? |
This issue collects several fixes for 'bandit' findings.
I would also like to add Bandit to the Github actions as described in
https://github.com/marketplace/actions/bandit-scan or
https://github.com/marketplace/actions/bandit-by-pycqa.
The text was updated successfully, but these errors were encountered: