mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-07 07:50:28 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix all bandit B310 urllib_urlopen

Browse source 
"Audit url open for permitted schemes. Allowing use of ‘file:’’ or custom
schemes is often unexpected."

https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen
This commit is contained in:
Hans-Christoph Steiner 2020-01-31 15:20:24 +01:00
parent d8f3d94997
commit 3df276cc3c
No known key found for this signature in database
GPG key ID: 3E177817BA1B9BFA
4 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
fdroidserver/checkupdates.py
View file

@ -64,7 +64,7 @@ def check_http(app):
if len(urlcode) > 0:
logging.debug("...requesting {0}".format(urlcode))
req = urllib.request.Request(urlcode, None)
resp = urllib.request.urlopen(req, None, 20)
resp = urllib.request.urlopen(req, None, 20) # nosec B310 scheme is filtered above
page = resp.read().decode('utf-8')
m = re.search(codeex, page)
@ -77,7 +77,7 @@ def check_http(app):
if urlver != '.':
logging.debug("...requesting {0}".format(urlver))
req = urllib.request.Request(urlver, None)
resp = urllib.request.urlopen(req, None, 20)
resp = urllib.request.urlopen(req, None, 20) # nosec B310 scheme is filtered above
page = resp.read().decode('utf-8')
m = re.search(verex, page)
@ -295,7 +295,7 @@ def check_gplay(app):
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0'}
req = urllib.request.Request(url, None, headers)
try:
resp = urllib.request.urlopen(req, None, 20)
resp = urllib.request.urlopen(req, None, 20) # nosec B310 URL base is hardcoded above
page = resp.read().decode()
except urllib.error.HTTPError as e:
return (None, str(e.code))

5
fdroidserver/import.py
View file

@ -40,8 +40,9 @@ SETTINGS_GRADLE = re.compile(r'''include\s+['"]:([^'"]*)['"]''')
# when one of these is found it's assumed that's the information we want.
# Returns repotype, address, or None, reason
def getrepofrompage(url):
req = urllib.request.urlopen(url)
if not url.startswith('http'):
return (None, _('{url} does not start with "http"!'.format(url=url)))
req = urllib.request.urlopen(url) # nosec B310 non-http URLs are filtered out
if req.getcode() != 200:
return (None, 'Unable to get ' + url + ' - return code ' + str(req.getcode()))
page = req.read().decode(req.headers.get_content_charset())