Tools - add bandit

2022-05-28 20:01:14 +02:00
parent a9c20ad753
commit b5d09008ee
9 changed files with 156 additions and 8 deletions
--- a/fittrackee/main.py
+++ b/fittrackee/main.py
@@ -12,7 +12,7 @@ from fittrackee import create_app
 from fittrackee.users.exceptions import UserNotFoundException
 from fittrackee.users.utils.admin import UserManagerService

-HOST = os.getenv('HOST', '0.0.0.0')
+HOST = os.getenv('HOST', '127.0.0.1')
 PORT = os.getenv('PORT', '5000')
 WORKERS = os.getenv('APP_WORKERS', 1)
 BASEDIR = os.path.abspath(os.path.dirname(__file__))
--- a/fittrackee/config.py
+++ b/fittrackee/config.py
@@ -51,7 +51,7 @@ class BaseConfig:
 class DevelopmentConfig(BaseConfig):
    DEBUG = True
    SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL')
-    SECRET_KEY = 'development key'
+    SECRET_KEY = 'development key'  # nosec
    BCRYPT_LOG_ROUNDS = 4
    DRAMATIQ_BROKER_URL = os.getenv('REDIS_URL', 'redis://')

@@ -60,12 +60,12 @@ class TestingConfig(BaseConfig):
    DEBUG = True
    TESTING = True
    SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_TEST_URL')
-    SECRET_KEY = 'test key'
+    SECRET_KEY = 'test key'  # nosec
    BCRYPT_LOG_ROUNDS = 4
    TOKEN_EXPIRATION_DAYS = 0
    TOKEN_EXPIRATION_SECONDS = 3
    PASSWORD_TOKEN_EXPIRATION_SECONDS = 3
-    UPLOAD_FOLDER = '/tmp/fitTrackee/uploads'
+    UPLOAD_FOLDER = '/tmp/FitTrackee/uploads'  # nosec
    UI_URL = 'http://0.0.0.0:5000'
    SENDER_EMAIL = 'fittrackee@example.com'

--- a/fittrackee/users/users.py
+++ b/fittrackee/users/users.py
@@ -388,7 +388,7 @@ def get_picture(user_name: str) -> Any:
        if user.picture is not None:
            picture_path = get_absolute_file_path(user.picture)
            return send_file(picture_path)
-    except Exception:
+    except Exception:  # nosec
        pass
    return NotFoundErrorResponse('No picture.')

--- a/fittrackee/workouts/utils/maps.py
+++ b/fittrackee/workouts/utils/maps.py
@@ -27,7 +27,7 @@ def get_map_hash(map_filepath: str) -> str:
    Generate a md5 hash used as id instead of workout id, to retrieve map
    image (maps are sensitive data)
    """
-    md5 = hashlib.md5()
+    md5 = hashlib.md5()  # nosec  # need 3.9+ to use 'usedforsecurity' flag
    absolute_map_filepath = get_absolute_file_path(map_filepath)
    with open(absolute_map_filepath, 'rb') as f:
        for chunk in iter(lambda: f.read(128 * md5.block_size), b''):