From 63d6a6e0ed55b75b6368ad1fbbf23c3483beea84 Mon Sep 17 00:00:00 2001 From: Benjamin Renard Date: Thu, 23 Mar 2023 09:56:31 +0100 Subject: [PATCH] Intruce bandit pre-commit checks --- .pre-commit-config.yaml | 6 ++++++ mylib/db.py | 8 ++++---- mylib/email.py | 13 ++++++++----- mylib/scripts/sftp_test.py | 3 ++- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7b8d201..3ee6363 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,3 +37,9 @@ repos: hooks: - id: isort args: ['--profile', 'black', '--line-length', '100'] +- repo: https://github.com/Lucas-C/pre-commit-hooks-bandit + rev: v1.0.5 + hooks: + - id: python-bandit-vulnerability-check + name: bandit + args: [--skip, "B101", --recursive, mylib] diff --git a/mylib/db.py b/mylib/db.py index cfebaa1..5a5aafd 100644 --- a/mylib/db.py +++ b/mylib/db.py @@ -261,7 +261,7 @@ class DB: def insert(self, table, values, just_try=False): """Run INSERT SQL query""" # pylint: disable=consider-using-f-string - sql = "INSERT INTO {} ({}) VALUES ({})".format( + sql = "INSERT INTO {} ({}) VALUES ({})".format( # nosec self._quote_table_name(table), ", ".join([self._quote_field_name(field) for field in values.keys()]), ", ".join([self.format_param(key) for key in values]), @@ -280,7 +280,7 @@ class DB: def update(self, table, values, where_clauses, where_op=None, just_try=False): """Run UPDATE SQL query""" # pylint: disable=consider-using-f-string - sql = "UPDATE {} SET {}".format( + sql = "UPDATE {} SET {}".format( # nosec self._quote_table_name(table), ", ".join( [f"{self._quote_field_name(key)} = {self.format_param(key)}" for key in values] @@ -306,7 +306,7 @@ class DB: def delete(self, table, where_clauses, where_op="AND", just_try=False): """Run DELETE SQL query""" - sql = f"DELETE FROM {self._quote_table_name(table)}" + sql = f"DELETE FROM {self._quote_table_name(table)}" # nosec params = {} try: @@ -327,7 +327,7 @@ class DB: def truncate(self, table, just_try=False): """Run TRUNCATE SQL query""" - sql = f"TRUNCATE TABLE {self._quote_table_name(table)}" + sql = f"TRUNCATE TABLE {self._quote_table_name(table)}" # nosec if just_try: log.debug("Just-try mode: execute TRUNCATE query: %s", sql) diff --git a/mylib/email.py b/mylib/email.py index 2562183..7a48f76 100644 --- a/mylib/email.py +++ b/mylib/email.py @@ -173,7 +173,9 @@ class EmailClient( self.templates[template_name] = {} log.debug("Load email template %s %s from %s", template_name, template_type, filepath) with open(filepath, encoding="utf8") as file_desc: - self.templates[template_name][template_type] = MakoTemplate(file_desc.read()) + self.templates[template_name][template_type] = MakoTemplate( + file_desc.read() + ) # nosec def forge_message( self, @@ -575,13 +577,14 @@ if __name__ == "__main__": text=( "Just a test email sent at {sent_date}." if not options.test_mako - else MakoTemplate("Just a test email sent at ${sent_date}.") + else MakoTemplate("Just a test email sent at ${sent_date | h}.") # nosec ), html=( - "Just a test email. (sent at {sent_date})" + "Just a test email. (sent at {sent_date | h})" if not options.test_mako - else MakoTemplate( - "Just a test email. (sent at ${sent_date})" + else MakoTemplate( # nosec + "Just a test email. " + "(sent at ${sent_date | h})" ) ), ) diff --git a/mylib/scripts/sftp_test.py b/mylib/scripts/sftp_test.py index 69067f5..c93d3f3 100644 --- a/mylib/scripts/sftp_test.py +++ b/mylib/scripts/sftp_test.py @@ -51,7 +51,8 @@ def main(argv=None): # pylint: disable=too-many-locals,too-many-statements test_content = b"Juste un test." tmp_dir = tempfile.TemporaryDirectory() # pylint: disable=consider-using-with tmp_file = os.path.join( - tmp_dir.name, f'tmp{"".join(random.choice(string.ascii_lowercase) for i in range(8))}' + tmp_dir.name, + f'tmp{"".join(random.choice(string.ascii_lowercase) for i in range(8))}', # nosec ) log.debug('Temporary file path: "%s"', tmp_file) with open(tmp_file, "wb") as file_desc: