Fix bandit issues

37df277b · David Hoese · 78357b50 · 37df277b · 37df277b · 37df277b
Verified Commit 37df277b authored 2 years ago by David Hoese
--- a/metobsapi/common_config.py
+++ b/metobsapi/common_config.py
@@ -2,7 +2,8 @@ JSONIFY_PRETTYPRINT_REGULAR = False
 if "SECRET_KEY" not in globals():
    # we don't do anything with cookies or sessions, set this somewhere secret in the future
-    SECRET_KEY = "secret!"
+    # Security: This is expected to be overwritten either via environment variable or sub-configuration
+    SECRET_KEY = "secret!"  # nosec B105
 ARCHIVE_ROOT = "/data1/cache"
 ARCHIVE_URL = "http://metobs.ssec.wisc.edu/pub/cache"
@@ -11,5 +12,6 @@ ARCHIVE_URL = "http://metobs.ssec.wisc.edu/pub/cache"
 INFLUXDB_HOST = "rain01"
 INFLUXDB_PORT = 8086
 INFLUXDB_USER = "root"
-INFLUXDB_PASS = "root"
+# Security: This is expected to be overwritten either via environment variable or sub-configuration
+INFLUXDB_PASS = "root"  # nosec B105
 INFLUXDB_DB = "metobs"
--- a/metobsapi/data_api.py
+++ b/metobsapi/data_api.py
 import logging
 from datetime import datetime, timedelta
-from xml.dom.minidom import Document
+# Security: Document is only used for creating an XML document, not parsing one
+from xml.dom.minidom import Document  # nosec B408
 import numpy as np
 import pandas as pd

--- a/metobsapi/server.py
+++ b/metobsapi/server.py
 import json as builtin_json
 import logging
 import os
+import sys
 from datetime import datetime
 from enum import Enum
 from urllib.error import URLError
@@ -18,10 +19,10 @@ LOG = logging.getLogger(__name__)
 app = Flask(__name__)
 # Load custom configuration file is specified
-if os.environ.get("METOBSAPI_SETTINGS") is None:
+app.config.from_object("metobsapi.common_config")
-    app.config.from_object("metobsapi.common_config")
+if os.environ.get("METOBSAPI_SETTINGS") is not None:
-else:
    app.config.from_pyfile(os.environ.get("METOBSAPI_SETTINGS"))
+app.config.from_prefixed_env(prefix="METOBSAPI")
 # Load json handler and add custom enum encoder
@@ -163,14 +164,16 @@ def get_instrument_status(site, inst=None, fmt=None):
        json_subpath = os.path.join(site, inst, "status.json")
    # try to load the JSON file from the archive
-    if not os.path.exists(app.config.get("ARCHIVE_ROOT")):
+    if not os.path.isfile(app.config.get("ARCHIVE_ROOT")) and app.config.get("ARCHIVE_ROOT").startswith("http"):
        LOG.warning("Using URL request for status JSON, not meant for operational use")
        # we aren't on a system with the archive available, fall back to URL
        # loads directly to the archive
        base_url = app.config.get("ARCHIVE_URL")
        json_url = os.path.join(base_url, json_subpath)
        try:
-            json_str = urlopen(json_url).read()
+            # Security: We check to ensure this is an HTTP URL as a base URL.
+            #   The server configuration is also the one setting what the root URL is.
+            json_str = urlopen(json_url).read()  # nosec B310
        except URLError:
            response["status_message"] = "Could not retrieve configured status: {}".format(json_url)
            json_str = None
@@ -196,4 +199,5 @@ def get_instrument_status(site, inst=None, fmt=None):
 if __name__ == "__main__":
    app.debug = True
-    app.run("0.0.0.0", threaded=True)
+    bind_addr = "0.0.0.0" if len(sys.argv) <= 1 else sys.argv[0]  # nosec B104
+    app.run(bind_addr, threaded=True)