This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 343bac956b Review and mark found potential SSH security issues by
bandit (#36162)
343bac956b is described below
commit 343bac956b48aac80a7daaf0715e04d2cc37b373
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon Dec 11 08:38:18 2023 +0100
Review and mark found potential SSH security issues by bandit (#36162)
Bandit releaed new version (1.7.6) few days ago. We had >=1.7.5 and
it started to detect new potential issue (Auto Add Hostkey) in
Google and SSH providers. Both case are valid however (in the first
case the key is a throw-away one and just - dynamically - created
so we cannot have it stored yet. Auto-Adding makes sense in this case.
In case of SSH provider, the user must deliberately choose this
option and they are clearly warned that it is not secure option.
We are also fixing bandit to a pinned version. The problem with
>= in case of pre-commit is that the result might depend on cache
of pre-commit - in main we are still using 1.7.5 as it has been
cached, but new PRs use 1.7.6 because they have no access to main
cache.
We will have a separate pre-commit added to make sure that we are
updating to latest versions of other pre-commits soon. We need
to make sure we are updating those deliberately.
---
.pre-commit-config.yaml | 2 +-
airflow/providers/google/cloud/hooks/compute_ssh.py | 2 +-
airflow/providers/ssh/hooks/ssh.py | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8f635c1960..e3202ee75a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1015,7 +1015,7 @@ repos:
language: python
language_version: python3
types: [ python ]
- additional_dependencies: ['bandit>=1.7.5']
+ additional_dependencies: ['bandit==1.7.6']
require_serial: true
files: ^airflow/.*
exclude:
diff --git a/airflow/providers/google/cloud/hooks/compute_ssh.py
b/airflow/providers/google/cloud/hooks/compute_ssh.py
index 9ed5899cfc..13b1bb3f4b 100644
--- a/airflow/providers/google/cloud/hooks/compute_ssh.py
+++ b/airflow/providers/google/cloud/hooks/compute_ssh.py
@@ -295,7 +295,7 @@ class ComputeEngineSSHHook(SSHHook):
client = _GCloudAuthorizedSSHClient(self._compute_hook)
# Default is RejectPolicy
# No known host checking since we are not storing privatekey
- client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# nosec B507
client.connect(
hostname=hostname,
username=user,
diff --git a/airflow/providers/ssh/hooks/ssh.py
b/airflow/providers/ssh/hooks/ssh.py
index 5bd7878daa..db69cd53e5 100644
--- a/airflow/providers/ssh/hooks/ssh.py
+++ b/airflow/providers/ssh/hooks/ssh.py
@@ -298,7 +298,7 @@ class SSHHook(BaseHook):
if self.no_host_key_check:
self.log.warning("No Host Key Verification. This won't protect
against Man-In-The-Middle attacks")
- client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) #
nosec B507
# to avoid BadHostKeyException, skip loading and saving host keys
known_hosts = os.path.expanduser("~/.ssh/known_hosts")
if not self.allow_host_key_change and os.path.isfile(known_hosts):
