I ran the project through the Bandit 'security linter' which flagged up a number of small issues https://pypi.org/project/bandit/ I've attached the result of this in case it is of interest (run on 4.3.1 so obviously run it against whatever you plan to deploy).
It is just one tool to use to help gauge the relatively security of an app though. Fuzzing and django-tailored attacks should also be tried. Ben On Mon, 17 Dec 2018 at 14:55, Adam Cox <[email protected]> wrote: > Hi John, I have not had a security audit either, and would be very > interested in the results. I do have a pending deployment for the Bureau of > Land Management which will most likely require an audit, so I'm expecting > to do some prep work on Arches for that at some point. > > On Mon, Dec 17, 2018 at 5:14 AM Vincent Meijer <[email protected]> > wrote: > >> Hi John, >> >> I haven't heard of anyone doing a security audit for Arches, but if so I >> would also be quite interested in hearing about it. >> >> Best, >> Vincent >> >> On Monday, 17 December 2018 10:49:03 UTC+1, John Murphy wrote: >>> >>> Good morning everyone! >>> >>> I was wondering if has anyone has had to commission a security audit of >>> Arches yet and, if so, what have your experiences been? Our corporate IT >>> are going to require one before they allow me to set this loose on our >>> network and it would be good to know what I need to look out for. >>> >>> Many thanks, >>> >>> John >>> >> -- >> -- To post, send email to [email protected]. To >> unsubscribe, send email to [email protected]. >> For more information, visit >> https://groups.google.com/d/forum/archesproject?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Arches Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- To post, send email to [email protected]. To unsubscribe, > send email to [email protected]. For more > information, visit https://groups.google.com/d/forum/archesproject?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Arches Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
Run started:2018-10-09 22:00:49.467473 Test results: >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/app/datatypes/concept_types.py:48 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 47 try: 48 assert isinstance(nodevalue, (list, tuple)) #assert nodevalue is an array 49 except AssertionError: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/datatypes/datatypes.py:131 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 130 tile.data[nodeid] = float(tile.data[nodeid]) 131 except: 132 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/datatypes/datatypes.py:213 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 212 value = str(datetime(value).date()) 213 except: 214 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/app/datatypes/datatypes.py:482 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 481 WHERE nodeid = '%s' 482 """ % node.pk) 483 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/datatypes/datatypes.py:982 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 981 tile_file['size'] = file_stats.st_size 982 except: 983 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/datatypes/datatypes.py:1258 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 1257 result = ",".join(value) 1258 except: 1259 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with check_call module. Severity: Low Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:9 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 8 from hashlib import sha256 9 from subprocess import check_call as run 10 from json import load, dump as save -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:94 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 93 with timer(): 94 run(['tar', '-czf', _tarball_filename_for(directory), '-C', dirname(directory), basename(directory)]) 95 -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:94 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 93 with timer(): 94 run(['tar', '-czf', _tarball_filename_for(directory), '-C', dirname(directory), basename(directory)]) 95 -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:100 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 99 with timer(): 100 run(['tar', '-xzf', _tarball_filename_for(directory), '-C', dirname(directory)]) 101 -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:100 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 99 with timer(): 100 run(['tar', '-xzf', _tarball_filename_for(directory), '-C', dirname(directory)]) 101 -------------------------------------------------- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with >> shell=True identified, security issue. Severity: High Confidence: High Location: arches/arches/app/media/packages/bootstrap/test-infra/s3_cache.py:184 More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 183 with timer(): 184 run(fallback_cmd, shell=True) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/models/card.py:102 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 101 cardxnodexwidgetid = wm.pk 102 except: 103 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/app/models/concept.py:534 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 533 JOIN results r on (r.conceptidfrom=c.conceptidto) 534 )""" % query.lower() if query is not None else "" 535 -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/app/models/concept.py:1002 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 1001 WHERE json_data.value = '%s' 1002 """ % value.id 1003 cursor.execute(sql) -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/app/models/concept.py:1043 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 1042 ) SELECT conceptidfrom::text, conceptidto::text, value, valueid::text, valueto, valueidto::text, depth, idpath::text, conceptpath::text, vtype FROM children ORDER BY depth, conceptpath; 1043 """.format(conceptid) 1044 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/models/concept.py:1165 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 1164 lang_parts[1] = lang_parts[1].upper() 1165 except: 1166 pass -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/app/models/migrations/0001_initial.py:52 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 51 from django.contrib.auth.management import create_permissions 52 assert not getattr(apps, 'models_module', None) 53 model_app = apps.get_app_config('models') -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/models/migrations/0005_4_0_1.py:85 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 84 DValueType.objects.get(valuetype='identifier').delete() 85 except: 86 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/models/migrations/2891_tile_qa_schema.py:44 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 43 print 'removed admin group' 44 except: 45 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/models/system_settings.py:107 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 106 setattr(self, node.name, val) 107 except: 108 pass -------------------------------------------------- >> Issue: [B413:blacklist] The pyCrypto library and its module AES are no >> longer actively maintained and have been deprecated. Consider using >> pyca/cryptography library. Severity: High Confidence: High Location: arches/arches/app/utils/arches_crypto.py:21 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto 20 import hashlib 21 from Crypto.Cipher import AES 22 from Crypto import Random -------------------------------------------------- >> Issue: [B413:blacklist] The pyCrypto library and its module Random are no >> longer actively maintained and have been deprecated. Consider using >> pyca/cryptography library. Severity: High Confidence: High Location: arches/arches/app/utils/arches_crypto.py:22 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto 21 from Crypto.Cipher import AES 22 from Crypto import Random 23 24 class AESCipher(object): -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resource_graphs/importer.py:130 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 129 resource2resourceconstraint = Resource2ResourceConstraint.objects.update_or_create(**resource_2_resource_constraint) 130 except: 131 pass -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated >> with cPickle module. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/csvfile.py:2 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b403-import-pickle 1 import csv 2 import cPickle 3 import datetime -------------------------------------------------- >> Issue: [B301:blacklist] Pickle and modules that wrap it can be unsafe when >> used to deserialize untrusted data, possible security issue. Severity: Medium Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/csvfile.py:635 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b301-pickle 634 # return deepcopy(blank_tile) 635 return cPickle.loads(cPickle.dumps(blank_tile, -1)) 636 -------------------------------------------------- >> Issue: [B301:blacklist] Pickle and modules that wrap it can be unsafe when >> used to deserialize untrusted data, possible security issue. Severity: Medium Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/csvfile.py:750 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b301-pickle 749 def populate_child_tiles(source_data): 750 prototype_tile_copy = cPickle.loads(cPickle.dumps(childtile, -1)) 751 tileid = row['TileID'] if 'TileID' in row else uuid.uuid4() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/format.py:154 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 153 log_nums.append(int(file.split('.')[-1])) 154 except: 155 pass -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/rdffile.py:78 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 77 else: 78 assert node.datatype == graph_cache[graphid]['nodedatatypes'][node.nodeid], \ 79 "Node has more than one datatype?!" 80 if node.nodegroup: -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/rdffile.py:182 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 181 182 assert len(resourceinstanceids) == 1 # currently, this should be limited to a single top resource 183 184 archesproject = Namespace(settings.ARCHES_NAMESPACE_FOR_DATA_EXPORT) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/rdffile.py:294 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 293 keys.append(key) 294 except: 295 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/rdffile.py:422 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 421 branch = node 422 except: 423 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/formats/rdffile.py:460 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 459 value = JSONDeserializer().deserialize(value) 460 except: 461 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/data_management/resources/importer.py:82 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 81 relations_file = [file[0].split('.')[0] + '.relations'] 82 except: 83 pass -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/app/utils/data_management/sparql_providers/aat_provider.py:108 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 107 108 req = urllib2.Request(self.endpoint + '?' + self._getRequestEncodedParameters(("query", self.queryString))) 109 req.add_header("Accept", "application/sparql-results+json") -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/app/utils/data_management/sparql_providers/aat_provider.py:110 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 109 req.add_header("Accept", "application/sparql-results+json") 110 f = urllib2.urlopen(req) 111 return JSONDeserializer().deserialize(f.read()) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/date_utils.py:66 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 65 date = 'y' + date 66 except: 67 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/app/utils/index_database.py:187 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 186 ) SELECT valueid, value, conceptid, languageid, valuetype FROM children_inclusive ORDER BY depth; 187 """.format(topConcept, valueTypes) 188 -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Medium Location: arches/arches/app/utils/index_database.py:202 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 201 202 cursor.execute("SELECT count(*) from values WHERE valuetype in ({0})".format(valueTypes)) 203 concept_count_in_db = cursor.fetchone()[0] -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/middleware.py:24 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 23 request.user = User.objects.get(username='anonymous') 24 except: 25 pass -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/app/utils/middleware.py:55 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 54 def process_request(self, request): 55 assert hasattr(request, 'token'), ( 56 "The JSON authentication middleware requires token middleware " 57 "to be installed. Edit your MIDDLEWARE setting to insert " 58 "'arches.app.utils.middleware.TokenMiddleware' before " 59 "'arches.app.utils.middleware.JWTAuthenticationMiddleware'." 60 ) 61 62 # if there is a session and the user isn't anonymous then don't modify request.user 63 if request.user.is_anonymous() and request.token is not '': -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/skos.py:116 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 115 identifier = self.unwrapJsonLiteral(str(object)) 116 except: 117 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/utils/skos.py:259 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 258 ret['value'] = jsonLiteralValue['value'] 259 except: 260 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/app/utils/system_metadata.py:20 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 19 import platform 20 import subprocess 21 from django.db import connection, transaction -------------------------------------------------- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with >> shell=True seems safe, but may be changed in the future, consider rewriting >> without shell Severity: Low Confidence: High Location: arches/arches/app/utils/system_metadata.py:38 More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 37 full_tag = subprocess.Popen("git log --pretty=format:'%h %ai' --abbrev-commit --date=short -1", cwd=settings.PACKAGE_ROOT, 38 shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 39 tag = full_tag.stdout.readline().strip() 40 except: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/app/utils/system_metadata.py:37 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 36 try: 37 full_tag = subprocess.Popen("git log --pretty=format:'%h %ai' --abbrev-commit --date=short -1", cwd=settings.PACKAGE_ROOT, 38 shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 39 tag = full_tag.stdout.readline().strip() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/views/auth.py:165 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 164 return redirect('auth') 165 except: 166 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/views/graph.py:72 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 71 context['root_node'] = self.graph.node_set.get(istopnode=True) 72 except: 73 pass -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/app/views/main.py:61 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 60 if url is not None: 61 f = urllib2.urlopen(url) 62 return HttpResponse(f.read()) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/views/resource.py:352 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 351 values[k] = v 352 except Exception as e: 353 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/views/resource.py:361 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 360 values[k] = display_values 361 except Exception as e: 362 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/app/views/resource.py:390 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 389 edit.resource_model_name = models.GraphModel.objects.get(pk=edit.resourceclassid).name 390 except: 391 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/db/install/truncate_db.py:2 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 1 import re 2 import subprocess 3 from django.template import Template -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/db/install/truncate_db.py:7 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 6 7 postgres_version = subprocess.check_output(["psql", "--version"]) 8 pattern = re.compile(r'\s\d+.\d*.\d*') -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/db/install/truncate_db.py:7 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 6 7 postgres_version = subprocess.check_output(["psql", "--version"]) 8 pattern = re.compile(r'\s\d+.\d*.\d*') -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/db/utils.py:1 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 1 import subprocess 2 from arches.app.models.system_settings import settings 3 -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/db/utils.py:6 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 5 database = settings.DATABASES[database] 6 proc = subprocess.Popen(["psql", "-h", database['HOST'], "-p", database['PORT'], "-U", database['USER'], "-d", database['NAME'], "-f", pathtofile],stdin=subprocess.PIPE,stdout=subprocess.PIPE) 7 output, errors = proc.communicate() -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/db/utils.py:6 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 5 database = settings.DATABASES[database] 6 proc = subprocess.Popen(["psql", "-h", database['HOST'], "-p", database['PORT'], "-U", database['USER'], "-d", database['NAME'], "-f", pathtofile],stdin=subprocess.PIPE,stdout=subprocess.PIPE) 7 output, errors = proc.communicate() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/management/commands/es.py:109 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 108 os.rename(os.path.join(es_config_directory, 'elasticsearch.yml'), os.path.join(es_config_directory, 'elasticsearch.yml.orig')) 109 except: pass 110 -------------------------------------------------- >> Issue: [B103:set_bad_file_permissions] Chmod setting a permissive mask 0755 >> on file (NOT PARSED). Severity: Medium Confidence: High Location: arches/arches/management/commands/es.py:111 More Info: https://bandit.readthedocs.io/en/latest/plugins/b103_set_bad_file_permissions.html 110 111 os.chmod(os.path.join(install_location, file_name_wo_extention, 'bin', 'elasticsearch'), 0755) 112 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/management/commands/export.py:20 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 19 import os 20 import subprocess 21 from arches.app.models.system_settings import settings -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Medium Location: arches/arches/management/commands/export.py:57 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 56 with connection.cursor() as cursor: 57 cursor.execute("SELECT * FROM {0}".format(table)) 58 row = cursor.fetchall() -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Medium Location: arches/arches/management/commands/export.py:63 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 62 for geom_type, st_type in geometry_types.iteritems(): 63 cursor.execute("SELECT count(*) FROM {0} WHERE geom_type IN ({1})".format(table, ','.join(st_type))) 64 if cursor.fetchone()[0] > 0: -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector >> through string-based query construction. Severity: Medium Confidence: Low Location: arches/arches/management/commands/export.py:67 More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html 66 cmd_process = cmd.split() 67 sql = 'select * from {0} where geom_type in ({1});'.format(table, ','.join(st_type)) 68 cmd_process.append(sql) -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/management/commands/export.py:69 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 68 cmd_process.append(sql) 69 subprocess.call(cmd_process) 70 else: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/management/commands/load_ontology.py:104 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 103 return 104 except: 105 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/management/commands/load_ontology.py:222 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 221 ret = data_source.path 222 except: 223 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:20 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 19 """This module contains commands for building Arches.""" 20 import os, sys, subprocess, shutil, csv, json, unicodecsv 21 import urllib, uuid, glob -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/management/commands/packages.py:557 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 556 zip_file = os.path.join(unzip_into_dir,"source_data.zip") 557 urllib.urlretrieve(source, zip_file) 558 unzip_file(zip_file, unzip_into_dir) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:559 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 558 unzip_file(zip_file, unzip_into_dir) 559 except: 560 pass -------------------------------------------------- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with >> shell=True identified, security issue. Severity: High Confidence: High Location: arches/arches/management/commands/packages.py:766 More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 765 import time 766 p = subprocess.Popen(['service.bat', 'install'], cwd=es_start, shell=True) 767 time.sleep(10) -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:766 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 765 import time 766 p = subprocess.Popen(['service.bat', 'install'], cwd=es_start, shell=True) 767 time.sleep(10) -------------------------------------------------- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with >> shell=True identified, security issue. Severity: High Confidence: High Location: arches/arches/management/commands/packages.py:768 More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 767 time.sleep(10) 768 p = subprocess.Popen(['service.bat', 'start'], cwd=es_start, shell=True) 769 else: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:768 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 767 time.sleep(10) 768 p = subprocess.Popen(['service.bat', 'start'], cwd=es_start, shell=True) 769 else: -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:770 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 769 else: 770 p = subprocess.Popen(es_start + '/elasticsearch', cwd=es_start, shell=False) 771 return p -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/management/commands/packages.py:786 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 785 786 os.system('psql -h %(HOST)s -p %(PORT)s -U %(USER)s -d postgres -f "%(truncate_path)s"' % db_settings) 787 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/management/commands/packages.py:1060 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 1059 config['provider']['kwargs']['dbinfo']['database'] = settings.DATABASES['default']['NAME'] 1060 except: 1061 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/management/commands/updateproject.py:4 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 3 import os 4 import subprocess 5 from arches.management.commands import utils -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/management/commands/updateproject.py:49 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 48 url = "https://raw.githubusercontent.com/archesproject/arches/stable/{0}/package.json".format(version) 49 response = urllib.urlopen(url) 50 data = json.loads(response.read()) -------------------------------------------------- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with >> shell=True seems safe, but may be changed in the future, consider rewriting >> without shell Severity: Low Confidence: High Location: arches/arches/management/commands/updateproject.py:57 More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 56 os.chdir(settings.APP_ROOT) 57 subprocess.call("yarn install", shell=True) 58 except Exception as e: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/management/commands/updateproject.py:57 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 56 os.chdir(settings.APP_ROOT) 57 subprocess.call("yarn install", shell=True) 58 except Exception as e: -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/setup.py:3 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 2 import os 3 import subprocess 4 import shutil -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/setup.py:23 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 22 tmpinstalldir = os.path.join(site_packages_dir(), 'arches', 'tmp') 23 os.system("pip install -b %s setuptools --upgrade" % (tmpinstalldir)) 24 os.system("pip install -b %s -r %s" % (tmpinstalldir, os.path.join(install_dir, 'requirements.txt'))) -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/setup.py:24 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 23 os.system("pip install -b %s setuptools --upgrade" % (tmpinstalldir)) 24 os.system("pip install -b %s -r %s" % (tmpinstalldir, os.path.join(install_dir, 'requirements.txt'))) 25 if settings.MODE == 'DEV': -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/setup.py:26 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 25 if settings.MODE == 'DEV': 26 os.system("pip install -b %s -r %s" % (tmpinstalldir, os.path.join(install_dir, 'requirements_dev.txt'))) 27 shutil.rmtree(tmpinstalldir, True) -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/setup.py:46 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 45 try: 46 postgres_version = subprocess.check_output(["psql", "--version"]) 47 except OSError: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/setup.py:46 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 45 try: 46 postgres_version = subprocess.check_output(["psql", "--version"]) 47 except OSError: -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/setup.py:73 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 72 virtualenv_working_dir = os.path.join(virtualenv_root, env) 73 os.system("python %s %s" % (os.path.join(virtualenv_root, 'virtualenv.py'), virtualenv_working_dir)) 74 activate_env(virtualenv_working_dir) -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: >> Seems safe, but may be changed in the future, consider rewriting without >> shell Severity: Low Confidence: High Location: arches/arches/setup.py:76 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 75 else: 76 os.system("pip install virtualenv") 77 virtualenv_working_dir = os.path.join(here, 'virtualenv', env) -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/setup.py:76 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 75 else: 76 os.system("pip install virtualenv") 77 virtualenv_working_dir = os.path.join(here, 'virtualenv', env) -------------------------------------------------- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, >> possible injection detected, security issue. Severity: High Confidence: High Location: arches/arches/setup.py:78 More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html 77 virtualenv_working_dir = os.path.join(here, 'virtualenv', env) 78 os.system("virtualenv %s" % (virtualenv_working_dir)) 79 if os.path.exists(virtualenv_working_dir): -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use >> of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: arches/arches/setup.py:97 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen 96 def download_file(url, file_name): 97 u = urllib2.urlopen(url) 98 f = open(file_name, 'wb') -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/setup.py:180 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 179 else: 180 assert len(version) == 5 181 assert version[3] in ('alpha', 'beta', 'rc', 'final') -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be >> removed when compiling to optimised byte code. Severity: Low Confidence: High Location: arches/arches/setup.py:181 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 180 assert len(version) == 5 181 assert version[3] in ('alpha', 'beta', 'rc', 'final') 182 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated >> with subprocess module. Severity: Low Confidence: High Location: arches/arches/setup.py:187 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 186 import os 187 import subprocess 188 from StringIO import StringIO -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/setup.py:218 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 217 try: 218 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{latesttag}:{node|short}']) 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/setup.py:218 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 217 try: 218 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{latesttag}:{node|short}']) 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/setup.py:219 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 218 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{latesttag}:{node|short}']) 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) 220 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{date}']) -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/setup.py:219 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 218 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{latesttag}:{node|short}']) 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) 220 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{date}']) -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check >> for execution of untrusted input. Severity: Low Confidence: High Location: arches/arches/setup.py:220 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) 220 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{date}']) 221 sb.writelines(['__VERSION__="%s"' % ver.split(':')[0]]) -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a >> partial executable path Severity: Low Confidence: High Location: arches/arches/setup.py:220 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 219 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{node|short}']) 220 ver = subprocess.check_output(['hg', 'log', '-r', '.', '--template', '{date}']) 221 sb.writelines(['__VERSION__="%s"' % ver.split(':')[0]]) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/setup.py:224 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 223 #write_to_file(os.path.join(path_to_file,'version.py'), sb.getvalue(), 'w') 224 except: 225 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: arches/arches/urls.py:165 More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html 164 ] + urlpatterns 165 except: 166 pass -------------------------------------------------- Code scanned: Total lines of code: 20516 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0 Low: 74 Medium: 18 High: 11 Total issues (by confidence): Undefined: 0 Low: 6 Medium: 3 High: 94 Files skipped (0):
