Monday, 2015-06-22

*** markvoelker has joined #openstack-security00:01
*** markvoelker has quit IRC00:05
*** salv-orlando has joined #openstack-security01:06
*** salv-orlando has quit IRC01:11
*** browne has joined #openstack-security01:16
*** markvoelker has joined #openstack-security01:50
*** markvoelker has quit IRC01:55
*** sdake_ has quit IRC03:10
*** salv-orlando has joined #openstack-security03:19
*** salv-orlando has quit IRC03:22
*** markvoelker has joined #openstack-security03:38
*** markvoelker has quit IRC03:43
*** electrichead has quit IRC03:59
*** sdake has joined #openstack-security04:04
*** redrobot has joined #openstack-security04:16
*** redrobot is now known as Guest4778904:16
*** Guest47789 has quit IRC04:28
*** salv-orlando has joined #openstack-security05:02
*** salv-orlando has quit IRC05:13
*** markvoelker has joined #openstack-security05:27
*** markvoelker has quit IRC05:32
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex
*** JAHoagie has joined #openstack-security06:18
*** browne has quit IRC06:19
*** JAHoagie has quit IRC06:42
*** salv-orlando has joined #openstack-security07:10
*** salv-orlando has quit IRC07:13
*** markvoelker has joined #openstack-security07:16
*** salv-orlando has joined #openstack-security07:17
*** markvoelker has quit IRC07:21
*** alex_klimov has joined #openstack-security08:20
*** alex_klimov has quit IRC08:51
*** marzif has joined #openstack-security08:56
openstackgerritMerged stackforge/anchor: Ignore the coverage file
openstackgerritMerged stackforge/anchor: Fix entry typo
*** markvoelker has joined #openstack-security09:05
*** markvoelker has quit IRC09:09
openstackgerritMerged stackforge/anchor: Handle omission of CN on CSR
*** jamielennox is now known as jamielennox|away10:25
openstackgerritStanislaw Pitucha proposed stackforge/anchor: Explicit long is not needed
openstackgerritStanislaw Pitucha proposed stackforge/anchor: Force absolute imports rather than relative ones
openstackgerritStanislaw Pitucha proposed stackforge/anchor: Add explicit decoding to asn1 data
openstackgerritMerged stackforge/anchor: Fixed a typo in X509/
*** sdake has quit IRC10:43
*** kenj0 has quit IRC10:43
*** sigmavirus24_awa has quit IRC10:43
*** Guest11697 has quit IRC10:43
*** v4s has joined #openstack-security10:43
*** mgagne has joined #openstack-security10:43
*** mgagne is now known as Guest8120210:43
*** sdake has joined #openstack-security10:44
*** sigmavirus24_awa has joined #openstack-security10:46
*** markvoelker has joined #openstack-security10:53
*** markvoelker has quit IRC10:58
*** daemontool_ has joined #openstack-security11:16
*** marzif has quit IRC11:18
*** alex_klimov has joined #openstack-security11:21
*** sdake_ has joined #openstack-security11:27
*** sdake has quit IRC11:30
openstackgerritMerged stackforge/anchor: Refactor the alternative name iteration code
*** daemontool_ has quit IRC11:38
*** marzif has joined #openstack-security11:39
*** markvoelker has joined #openstack-security11:54
*** markvoelker has quit IRC11:59
*** markvoelker has joined #openstack-security12:03
openstackgerritMerged stackforge/anchor: CA doesn't need to be read-only
*** edmondsw has joined #openstack-security12:22
openstackgerritMerged stackforge/anchor: Add blacklist validator
*** dave-mccowan has joined #openstack-security13:02
*** singlethink has joined #openstack-security13:33
*** singleth_ has joined #openstack-security13:45
*** tmcpeak has joined #openstack-security13:48
*** singlethink has quit IRC13:49
openstackgerritMerged openstack/security-doc: Case Studies - Moving Identity case studies into Identity chapter
*** localloop127 has joined #openstack-security14:08
*** sigmavirus24_awa is now known as sigmavirus2414:12
*** nkinder has joined #openstack-security14:31
*** redrobot has joined #openstack-security14:51
*** redrobot is now known as Guest4440514:51
*** jebertol has joined #openstack-security14:52
*** sdake_ has quit IRC14:52
*** jebertol has quit IRC14:53
*** browne has joined #openstack-security14:53
*** Guest44405 is now known as redrobot14:53
*** marzif has quit IRC14:55
*** jian5397 has joined #openstack-security14:57
*** dave-mccowan has quit IRC15:12
*** bpokorny has joined #openstack-security15:16
*** dave-mccowan has joined #openstack-security15:24
*** Guest81202 is now known as mgagne15:36
*** mgagne has joined #openstack-security15:36
*** salv-orl_ has joined #openstack-security16:00
*** salv-orlando has quit IRC16:03
openstackgerritMerged stackforge/bandit: Add extension entry-points and loading
*** chair6_ is now known as chair616:12
*** jian5397 has quit IRC16:24
*** jian5397 has joined #openstack-security16:25
*** jian5397 has left #openstack-security16:26
*** jian5397 has joined #openstack-security16:27
tmcpeakbrowne, chair6, sigmavirus24: we're looking at another pushed version now that sigmavirus24's changes have landed.  If you have the chance in the next couple of days, could you run Bandit against some code and do a sanity check?  please use bandit default profile as well as the profile being used in gates -
brownetmcpeak: sure will do16:30
tmcpeakbrowne: thanks!16:30
sigmavirus24So how many projects are using pyca/cryptography directly?16:42
sigmavirus24I'm wondering if we want to add a plugin to check for less than ideal combinations of things in code using cryptography16:43
*** sicarie has joined #openstack-security16:55
*** dg___ has joined #openstack-security16:57
elmikohey sicarie17:00
elmikohow goes?17:00
sicariepretty well, how was the conference?17:01
elmikoit was really good, very mind-blowing in some ways. just gave me too many good ideas =)17:01
dg___which conference was that?17:02
elmikospark summit17:02
*** shelleea007 has joined #openstack-security17:02
*** pdesai has joined #openstack-security17:03
elmikosan fran was nice too, had awesome weather all week17:03
elmikohey shelleea007, pdesai /me waves17:03
pdesaiHi everyone17:03
sicarieSorry about that, was handling internal fun17:05
sicarieSo we have one to traige today:
openstackLaunchpad bug 1467545 in openstack-manuals "Security guide should contain an appendix with advice on configuring firewalls" [Undecided,New]17:06
elmikoi was figuring this might be wishlist17:06
sicarieelmiko: how do you feel about updating ‘firewalls’ to ‘security groups’?17:06
elmikosure, that works17:06
elmikoi guess ultimately we could have advice on iptables, firewalld, and the ubuntu service (can't remember the name)17:07
sicarieSo let me rephrase that17:07
sicarieWould this be more useful initially as a reference for networking security groups, or firewalls deployed in the environment?17:07
sicarie(the ubuntu one)17:08
elmikoi was initially thinking just firewalls, maybe a little distinction on security groups would help17:08
sicarieI think a security groups reference might be a bit more useful as firewalls are determined by the environment and deployer17:08
elmikoyea, ufw, thanks17:08
elmikook, so make it a little broaded to cover other cases too. i'm good with that.17:09
sicariepdesai dg__ shelleea007 do any of you feel strongly one way or another?17:09
shelleea007but I do agree that it should be addressed at some level17:09
sicarieOr maybe we can even comment and suggest a security groups reference first to build into fw rules?17:10
shelleea007but each entity will have to identify how to secure their own environment as applicable17:10
elmikoi changed the title slighty, s/firewalls/network security groups/17:10
sicarieSounds good17:10
elmikoshelleea007: agreed, i figured this might address thing by linux distributions to begin with, for example "firewalld service files for fedora, centos and rhel. uwd configs for ubuntu. etc..."17:11
dg___on the name - firewalls is more familiar to average reader, rather than security group, which is fairly openstack specific17:11
elmikodg___: kinda why i went with the more mundane term originally17:12
sicariedg__ very true, but I would expect someone looking at an appendix reference to be fairly familiar with openstack terminology17:12
dg___unless theyre just greping for 'how do i firewall stuff'17:12
dg___if they started at the beginning, sure, but when did you last read a tech book from the start?17:13
elmikomaybe the appendix could be titled something like "Appendix X, Network security group and firewall configurations"?17:13
sicarieelmiko: +117:13
sicariedg__ it was the openstack security guide :P17:13
sicariebut that was because I was doing a cover-to-cover bug hunt17:14
dg___sicarie hero!17:14
sicarieSo I have one general question, and then want to hit the RST conversion17:14
sicarieSo over the weekend this bug was opened:
openstackLaunchpad bug 1465037 in openstack-manuals "Chapter 10. Case studies: Identity management in OpenStack Security Guide - current" [Medium,Invalid]17:14
sicarieIt wasn’t tagged sec-guide so I missed it, there is a currently open bug tagged sec-guide that I’ve been working for the last few months to get the case studies in better shape17:15
sicarieThat spawned a patch set as well:
elmikosicarie: i merged yours earlier and commented on that one17:15
sicarieSo my general question for anyone who may know: is there a way other than tags to search where a bug came from so I can do a regular search for non-tagged but still secguide bugs?17:16
sicarieelmiko: I saw that :\17:16
sicariejust amazing timing on the new bug/patchset17:16
elmikogood question about the bugs, i'm not immediately sure about that17:17
sicarieOkay, no worries, just thought I’d throw it out there17:17
sicarieso the RST migration:
openstackLaunchpad bug 1463111 in openstack-manuals "OpenStack Security Guide - Convert to RST format" [High,Triaged]17:17
pdesaisicarie, you can go first, i have few comments as well17:18
*** sdake_ has joined #openstack-security17:18
sicariepdesai: sure17:18
sicarieSo after a bit of discussion i think we’re going to do a sec-specs repo17:18
sicarieand with that I’ll let pdesai take it away, as she’s been doing good work to structure this in the etherpad17:19
pdesaisure, i have gone through the migration guide lines from here:
pdesaii have outlined the new dir structure on the etherpad17:20
pdesaisecurity-guide-rst will have all the source files *.rst under security-guide-rst/source17:21
sicarie+1 looks good17:21
pdesaiwe convert each ch_ and section_ file to *.rst17:21
elmikopdesai: awesome, +117:22
pdesaithanks :) my question is, its recommended that we merge ch_ and their section_ files into one rst file, (does not apply for all though), what are your thoughts?17:23
sicarieAh, good question17:23
pdesaiwe have today 100 files including ch_ and section_17:23
elmikocould make for some large rst files17:23
sicarieyeah, i was thinking that was becoming unwiedly17:23
elmikoi don't necessarily have a problem with that, just as long as we accept that reality17:23
sicarieYeah, it’s either going to be lots of files when doing an ls or a large file being edited (possibly multiple times)17:24
pdesaiwe can merge files, if its a moderate size rst file, instead of applying this rule for all the files17:24
sicarieSo what I’d like to avoid would be a large set of “patch in merge conflict” submissions17:24
elmikoif we break them apart we will most likely need subdirs and then toc files to organize everything, that might be more unwieldly17:25
pdesaiwe can create a subdir for each chapter to store their section files, or have a flat dir and store everything under source/17:25
elmikoyea, i was kinda thinking subdir for each chapter (if we break apart the files)17:26
*** Vivek_ has joined #openstack-security17:26
elmikomight be nice to do regardless17:26
pdesai+1 to subdir for each ch.17:26
elmikono objection from me17:27
sicarieSo let’s submit the bp with that arch as a goal, and we’ll invite the docs team to comment17:27
sicarieIf they have a very persuasive argument we can modify our approach17:27
sicariebut I do think that’s probably the most reasonable path right now17:27
pdesaiawesome, i will create a repo for sec-specs and add my first bp :)17:28
Vivek_I am new to the OpenStack Security Project.17:28
sicarieThanks pdesai!17:28
*** Vivek_ is now known as Vivek17:28
elmikowhat are we looking at for a time frame on this? (i'm curious about starting the appendix, if it should be xml or rst)17:28
*** Vivek is now known as Guest5003117:28
tmcpeakVivek: how's it going?  these guys are having a meeting here, but feel free to PM me or drop a message in here when they're done17:29
sicarieelmiko: good question, I’d prefer to get it done as quickly as possible17:29
elmikosicarie: ok, i'll wait on the appendix until we are finished with rst.17:29
sicarieI was just going to say I think we should freeze submissions once we start the conversion17:29
elmikoGuest50031: hi, yea what tmcpeak said. we are currently discussing the openstack security guide =)17:29
sicariebut until then I’m going to be pushing new content to case studies and compute :)17:29
elmikosounds good17:30
*** alex_klimov has quit IRC17:30
sicarieawesome, thanks everyone!17:30
elmikoi guess we will have a small window of time where we need to ensure that the new changes and the rst are the same17:30
elmikocool, thanks!17:30
Guest50031Sure I am the co-author of the OpenStack Beginner's Guide Essex Release,always happy to help out with documentation.17:30
sicarieelmiko: exactly17:30
pdesaiyeah we will have to be careful there17:30
Guest50031Pleae carry on with your meeting.I'll be here.17:30
sicarieGuest50031: we just finished :)17:31
*** Guest50031 is now known as Vivek_V_C17:31
tmcpeakVivek_V_C - these are the guys you want to talk to if you're interested in documentation17:31
elmikoVivek_V_C: awesome to hear =)17:31
Vivek_V_CSure, more about myself, I am a Technical Architect with Tech Mahindra in Chennai India.17:32
Vivek_V_CI use OpenStack daily for fun and for profit :)17:33
*** dg___ has quit IRC17:33
Vivek_V_CI am trying to implement a poc on openstack hardening it will be with RH OpenStack Juno.17:34
*** Vivek_V_C is now known as Vivek17:35
*** Vivek has quit IRC17:35
*** Vivek has joined #openstack-security17:35
tmcpeakVivek: hardening how?17:35
VivekWell, I am supposed to follow the openstack security guide right ?. RH is our partners and they have the Standard Operating Environment (SOE) which they claim they implement using CloudForms. Data at Rest encryption - (FIPS 140), Data in Motion (AIDE), Authentication tools (Two-factor, IDM, Certificate system), Certifications (Common Criteria, EAL4+)17:39
tmcpeakahh cool17:39
VivekI am not sure if they are giving marketing jargon but I also just wanted to cross check here.17:40
elmikosounds neat17:40
Vivekelmiko,sicarie: Nice meeting you.17:41
tmcpeakVivek: some of the people here work for RedHat, they might know more than me17:41
elmiko<-- works for red hat17:41
VivekI see.17:41
elmikobut i'm not involved directly with the effort you are talking about17:41
VivekHow do I start with Openstack security, the security guide ?17:42
VivekAlso are there any RH specific hardening docs ?17:42
elmikosec. guide is a great place to start17:43
misci guess like anything, first start to see what you want to protect, what would be the thread, and then how you can remedy and/or prevent and/or reduce17:43
Vivekelmiko: ok.17:43
VivekI'll start with the guide then.17:43
elmikoVivek: there are also some red hat installation guides, i'm not sure about security hardening though. i'd have to look into it, maybe misc knows?17:44
sicarieVivek: if you run into any issues with the guide, please ping in here - I’m very interested to see how the security guide looks to a new user17:44
miscnope dunno about guides17:44
Viveksicarie: I am not a new user, been using OpenStack since Essex, new to the security side though.17:45
miscbut I think I would likely have a unconventionnal approach of deploying openstack by hand to see how it goes, then start to be fedup and look for a guide :)17:45
sicarieVivek: apologies, a new security implementor :)17:46
Vivekmisc: I have already done that manually many times :)17:46
*** pdesai has quit IRC17:46
VivekI will have a phd in manual openstack deployment.17:46
Vivektmcpeak,elmiko,sicarie: Are you all core members of the security team ?17:47
sicarieVivek: they are17:47
sicarieI’m security-guide specific17:47
VivekTravis,Mike and Nathaniel: Nice to meet you guys.17:49
VivekI am Vivek Cherian.17:50
elmikonice to meet you as well =)17:50
sicarieVivek: nice to meet you too!17:50
VivekIs the openstack security mailing list active, I sent mail to join the list a few mins back.17:53
elmikoVivek: that list mainly has automated emails about security review tagged issues.17:53
VivekWhere does all the actual discussion happen ?17:54
elmikoif you are looking for developer related issues you can post to the openstack-dev mailing list with the subject "[security] <topic....>"17:54
elmikoalso, see for our public facing side17:54
elmikoand for our meetings, see
elmikothe wiki has some info too (it's linked on
elmikoalso, don't get me wrong about the openstack-security ML. there are conversations on that as well, it just mostly gets traffic from automated postings.17:57
VivekBut I am wondering why I am not getting a acknowledgement for my join request.17:59
elmikohuh, strange17:59
*** salv-orl_ has quit IRC18:07
*** browne has quit IRC18:13
*** browne has joined #openstack-security18:13
Vivekelmiko: I just got subscribed.18:17
*** jian5397 has quit IRC18:18
elmikoVivek: great!18:18
VivekBut, I have to leave now. It's late here in India.18:18
VivekBye for now.18:19
elmikotake care18:21
elmikosigmavirus24: ping18:24
sigmavirus24elmiko: pong18:24
elmikohey, i'm looking at a security bug and i want to do the backports to kilo/juno18:24
elmikohow do i add those branches as bugs on the original bug report?18:24
elmiko(in launchpad)18:24
sigmavirus24At the top where it says what project it affects with the status and severity, it should say (beneath that table) "Nominate to series"18:25
sigmavirus24I think you might need to be a member of the bug team for the project though18:25
elmikoahh, ok18:25
elmikoi should get them to nominate before i do the review, or does it matter?18:26
*** shelleea007 has quit IRC18:26
tmcpeakgood times :\ Bandit bug-
openstackLaunchpad bug 1467636 in Bandit "Incorrect line number in results" [High,New]18:38
sigmavirus24elmiko: so the nomination has to be accepted18:39
sigmavirus24elmiko: for what it's worth, I would do it, jeepyb can handle itself18:39
sigmavirus24tmcpeak: so that's something pep8 had a problem with a while back18:39
sigmavirus24I think there's a distinguishment in pep8 between "logical line" and "physical line" or something like that18:40
* sigmavirus24 goes to look18:40
elmikosigmavirus24: ok, thanks for the help, i just went ahead and made the reviews18:40
tmcpeaksigmavirus24: ahh, interesting18:40
sigmavirus24oh wait, that's right18:41
tmcpeaksigmavirus24: I think I'm going to dig in unless you've pre-computed the answer for this already18:41
sigmavirus24pep8 doesn't use the AST18:41
sigmavirus24tmcpeak: I haven't18:41
tmcpeakok cool18:41
sigmavirus24pep8 uses a tokenizer18:41
* tmcpeak cracks knuckles - debug time18:41
* sigmavirus24 's brain is scrambled lately18:42
sigmavirus24if you want another hard one:
tmcpeaksigmavirus24: that's fun18:53
sigmavirus24Further if you do foo(\n\t"string"),\n it works just fine18:54
sigmavirus24SUPER WEIRD18:54
* sigmavirus24 really wishes he was able to not need sleep18:54
elmikothat sounds like something out of an episode of the Twilight Zone18:57
* sigmavirus24 has lots of bugs he'd like to fix18:57
sigmavirus24elmiko: what does?18:58
elmiko"sigmavirus24: really wishes he was able to not need sleep"18:58
sigmavirus24Sorry, but sleep should be optional18:58
elmikomakes me think of a re-envisioning of the classic "Time Enough at Last" with Burgess Meredith, except instead of wanting to read books he finally has time to fix all the open source bugs... lol18:59
bknudsonsleep isn't needed, use events and callbacks instead.18:59
elmikobknudson: LOL18:59
*** salv-orlando has joined #openstack-security18:59
tmcpeakbknudson: +1 :)19:02
tmcpeakbknudson: we're going to have to find a way to automatically suggest updates to the Bandit profiles in projects19:03
tmcpeakI've got a new Parakmiko call plugin that might be useful19:03
tmcpeakwould be cool if we had some way to automatically make pull requests in the relevant projects or something19:03
bknudsonthe openstack proposal bot does it for requirements, so should be easy19:04
bknudsonwhy does it need to be automatic?19:04
tmcpeakcool, maybe I'll take a look at how they're doing it19:04
*** salv-orlando has quit IRC19:04
bknudsontmcpeak: here's an example script:
bknudsonI'd suggest writing the script yourself and then if it's working for you get it into -infra19:05
tmcpeakbknudson: cool yeah, sounds like a solid approach19:07
bknudsonwhat updates are needed?19:07
tmcpeakso we added this paramiko shell injection plugin19:07
bknudsonI've been meaning to go through the keystone one to see if it actually makes sense19:07
tmcpeakone sec, I'll get a link19:07
bknudsonthe way this works with pep8 is that all the projects eventually enable all the checks19:08
bknudsonthere's probably some projects that have never been updated with some checks.19:08
tmcpeakoh, pep8 you mean?19:09
tmcpeakwith Bandit I doubt it, I think you guys are our oldest customers19:09
bknudsony, there's probably a project out there that ignores some pep8 checks because they've been too lazy to update.19:09
tmcpeakhah, yeah, and some projects explicitly disabling some checks ;)19:09
bknudsona script to update all the bandit.yaml to add paramiko_injection would be pretty handy.19:10
tmcpeakfor sure, approach I was thinking was to have a list of projects, automatically clone them, add the new stuff based on templates, and then submit reviews19:11
bknudsonyou might even put it in stackforge/bandit/tools/19:11
tmcpeakyeah, it's a decent little chunk of work, but I think we'll need something like that19:12
tmcpeakbrowne was talking about something like this too19:12
bknudsonbrowne patched the keystone bandit.yaml since there was something wrong with a plugin name19:12
tmcpeakright, yeah I did see that19:13
bknudsonif somebody's using paramiko then your update will fail and you'll have to fix that.19:13
bknudsonusing paramiko incorrectly19:13
tmcpeakyeah, that's another question, at some point we discussed testing new plugins against projects automatically, and then reporting the findings19:15
tmcpeakto make sure we don't 0 day anybody19:15
tmcpeak"0 day"19:15
tmcpeakbut we never got there19:15
bknudsonyour script could go through an tox -e bandit every project, too19:15
bknudsonand only update if it passed.19:15
bknudsonnobody would be suspicious19:15
tmcpeaktrue… another question is how to determine what the project has named their profile19:16
bknudsonhackers are probably running bandit already19:16
tmcpeakyeah, I was never super concerned about the 0-day argument19:16
tmcpeakbut some people might feel that way19:16
bknudsonif somebody's not naming their profile bandit.yaml then change it19:16
tmcpeakthat's the config file, but I mean the actual profile name19:16
bknudsonmaybe we should have a standard name for the profile19:17
tmcpeakyeah, that's what I was thinking…  x_conserative and x_verbose19:17
tmcpeakwhere x is the name of your project?19:17
bknudsonwhy do we have conservative and verbose?19:18
tmcpeakthen we just document that if you want your project to have changes submitted automatically for it you should keep those names ;)19:18
bknudsonalso, don't need the x_, do we?19:18
tmcpeakyeah, probably not19:18
tmcpeakcertainly not19:18
tmcpeakthe idea behind conservative and verbose was that verbose would find more things, but projects that are in deeper could use conservative19:19
bknudsonI think we should tailor the bandit.yaml for the automatic runs.19:19
bknudsonif somebody wants to run it themselves for fun they can change bandit.yaml19:20
tmcpeakwell we can at least have profiles geared for that19:20
tmcpeakwe can actually have profiles for both19:20
tmcpeakcan live happily together inside the bandit.yaml file19:20
tmcpeakwe could just call the gate profile "gate"19:20
bknudsonI like that. descriptive.19:20
sigmavirus24why not "Hey Egon, here's your mucus"19:24
*** sicarie has quit IRC19:29
tmcpeaksigmavirus24: sounds like a solid second choice19:35
tmcpeakBandit seems to just mark the first line for a multiline string...19:36
sigmavirus24tmcpeak: link to that part of the code?19:36
tmcpeaksigmavirus24: well I just ran debugger and found the way context is getting passed, but basically this:19:37
tmcpeak'lineno': 7,19:38
tmcpeak'str': 'sudo innobackupex --stream=xbstream %(extra_opts)s /var/lib/mysql 2>/tmp/innobackupex.log'}19:38
tmcpeakfrom this:19:38
tmcpeakcmd = ('sudo innobackupex'19:38
tmcpeak               ' --stream=xbstream'19:38
tmcpeak               ' %(extra_opts)s'19:38
tmcpeak               ' /var/lib/mysql 2>/tmp/innobackupex.log'19:38
tmcpeak               )19:38
tmcpeakso AST seems to roll those up as if it was one super long string on the first line19:39
tmcpeaklol, well yeah, there's that19:39
tmcpeakbknudson: lol19:39
tmcpeakis that in production code you ask? well yes, it is19:39
tmcpeakI should probably check with ukbelch, he might have some ideas for how to handle this19:43
sigmavirus24that's what I was expecting19:45
sigmavirus24I'm going to see if pyflakes handles anything like this19:45
tmcpeaksigmavirus24: awesome, thanks19:45
tmcpeakI can think of some solutions, but none of them are great19:45
*** elo has joined #openstack-security19:52
sigmavirus24So I'm not seeing anything immediately jump out at me but I also can't think of a situation where pyflakes would issue a warning on a multiline expression19:52
tmcpeaksigmavirus24: yeah, multiline expressions are generally handled with ukbelch's statement buffer code, but the thing is that AST is actually collapsing each line of the string into one, so we don't even know it's happening19:53
tmcpeakto fix it we'd probably have to read the file and do some simple parse logic :\19:54
tmcpeakor find the next statement and walk backwards, strip the whitespace, and then report the line range19:54
sigmavirus24the AST would do the same with a multiline if too19:54
tmcpeakeither way is kind of jank19:54
tmcpeaksigmavirus24: yeah, you're right, it probably would19:54
sigmavirus24so reading ahead wouldn't be bad but that still wouldn't give us much except a range19:54
sigmavirus24i.e., the error is between [7, 11)19:55
tmcpeakI think the range is all we need19:55
tmcpeakoh, I see19:55
sigmavirus24in your specific example19:55
* sigmavirus24 wonders if we could tokenize the file and easily associate it with the parsed AST19:55
sigmavirus24tokenizing it would preserve multiline statements (which is why pep8 doesn't have this problem)19:55
tmcpeakyeah, it seems like we'll have to get something like that19:56
tmcpeakalso not an insignificant change19:57
sigmavirus24tokenize is at least stdlib19:57
tmcpeakseems like we should probably wait until we have something to address this before we push a new version though :\19:57
sigmavirus24I have an idea19:58
tmcpeakwhat's up?19:58
sigmavirus24So tokenize doesn't need to take the whole file19:58
sigmavirus24we could use the range idea and then tokenize those lines and figure out the offending line based on that19:59
tmcpeaksigmavirus24: ooh, yeah.. that sounds good19:59
sigmavirus24that should minimize the impact and we could avoid tokenization if it really is just a single line19:59
sigmavirus24*I think tokenize doesn't need to take the whole file19:59
tmcpeakI haven't used tokenize before, I'll go have a quick peek19:59
sigmavirus24tokenize.generate_tokens I think19:59
sigmavirus24Should return a generator19:59
tmcpeaksigmavirus24: yeah, looks like it could work with a range, anything that provides the readline interface is fair game20:02
sigmavirus24we could buffer that stuff into a StringIO or BytesIO (whichever is appropriate) and use that20:02
tmcpeakyeah, makes sense.  So is the idea to do this for every statement or just known problems?20:03
tmcpeakI guess every statement makes sense20:03
tmcpeakwe don't want to get into the if(edgecase1) elif (edgecase2) business20:04
*** edmondsw has quit IRC20:04
sigmavirus24I think we can simply do it if (next_lineno - current_lineno) > 120:06
sigmavirus24in other words, if it's a multiline statement20:06
tmcpeakalso yeah, we have to walk backwards from the next statement to get the proper line range20:06
sigmavirus24yeah that might not be ideal20:06
sigmavirus24we should experiment with it20:06
tmcpeakfairly big change regardless, you agree on holding up next Bandit version while we sort this?20:06
*** jian5397 has joined #openstack-security20:10
sigmavirus24So I guess my question is "What is Bandit's release ideology?"20:12
sigmavirus24Is it "release numbers are cheap, let's get good features to the users now and fix up bugs in a minor bug fix later next week" or is it "releases should be few and far between to ensure stability and adoption"?20:12
tmcpeakmy feeling is the latter, but consensus on this would be good20:13
tmcpeakchair6, browne: ^ thoughts?20:13
* sigmavirus24 has a proposal for a new check but he doesn't think it'll ever actually be used in openstack20:25
tmcpeaksigmavirus24: what you got?20:26
* sigmavirus24 forgot that urllib3 allows people to assert a specific hostname when doing certification validation for a connection20:27
sigmavirus24e.g., assert_hostname=''20:27
sigmavirus24pretty sure we never ever want people to do that20:27
sigmavirus24Basically "don't use the hostname from the request uri, use this one instead"20:27
*** jian5397 has quit IRC20:27
tmcpeaksorry, I'm confused :)20:28
sigmavirus24tmcpeak: so look at for example20:29
sigmavirus24That allows for fingerprint pinning20:30
sigmavirus24Something similar could be used for hostname pinning20:30
tmcpeakahh, so make sure that urllib is being called with the hostname to validate?20:30
sigmavirus24make sure it isn't20:31
tmcpeakwhat's wrong with it doing so?20:31
sigmavirus24consider setting up a MITM proxy that presents a certificate with a hostname of "" and registering a transport adapter such that every HTTPS request verifies it gets the certificate the hostname it's checking for is ""20:32
tmcpeakbut that only works if you aren't validating certificates, right?20:32
brownetmcpeak, bknudson: i used -ll on bandit command line to check for high and mediums in other projects rather than crating a 'conservative' and 'verbose' profile20:33
tmcpeakbrowne: ahh ok20:34
*** elo has quit IRC20:34
bknudsonbrowne: do you have an example?20:34
tmcpeaksigmavirus24: so I MITM and present a response for every request to, but I my response isn't signed with a certificate you trust, so hostname validation checks, but cert validation doesn't20:35
sigmavirus24tmcpeak: true20:36
brownecommands = bandit -c bandit.yaml -r cinder -n 5 -ll20:37
bknudsonthat has all sorts of profiles20:37
tmcpeakbrowne: does that work then? I think even some of the mediums need to be filtered out, like binding to
tmcpeakbknudson: but he's not using them..20:37
brownethat's the default bandit.yaml basically20:38
tmcpeakprojects I've seen bind to all over the place, if we have that enabled in a gate it's bad news bears20:38
brownei just wanted to gate on mediums and highs20:38
tmcpeakthat's a sensible approach20:38
brownewell, is controversial, guess # nosec could be used20:39
tmcpeakprofile is essentially mostly filtering out the lows anyway :)20:39
tmcpeakI believe there are some from blacklist call I removed also20:39
tmcpeakis it working for Cinder browne?20:40
brownei forgot to put the output on pastebin for cinder.  let me do that now20:40
brownei did for the nova patch however,
browneguess my plan was to introduce bandit to these projects, checking the medium and highs, then determine which ones the cores care about in the scan20:41
browneit would be non-voting to start anyway20:42
tmcpeakI think the problem with this approach though, is that we (Bandit) can't introduce any medium or high severity findings without potentially breaking gates20:42
brownewell, any new version of bandit has the possibility to do that since an existing check may get better or worse at finding problems20:43
Davieybandit jobs probably need 2 modes, gate and advisory20:43
Davieywith advisory non-voting... probably good for introucing new tasks20:43
tmcpeakbrowne: good point20:44
brownei like the gate vs. advisory.  are there any jobs like that today?20:44
tmcpeakDaviey: yeah… that would translate to voting/non-voting?20:44
tmcpeakyeah, makes sense20:44
DavieyThen as advisory is clean for a project, it gets added to the voting task20:45
tmcpeakDaviey: +1, this provides an encouragement to resolve issues20:45
brownewell, that would work for the most part20:45
*** salv-orlando has joined #openstack-security20:56
*** sdake_ has quit IRC20:56
*** timkennedy has quit IRC21:03
*** alex_klimov has joined #openstack-security21:17
*** jian5397 has joined #openstack-security21:26
*** dave-mccowan has quit IRC21:39
*** jian5397 has quit IRC21:40
*** localloop127 has quit IRC21:44
*** nkinder has quit IRC21:53
*** sigmavirus24 is now known as sigmavirus24_awa22:06
*** dave-mccowan has joined #openstack-security22:07
openstackgerritMichael McCune proposed openstack/security-doc: Add OSSN-0049
*** dave-mccowan has quit IRC22:31
tmcpeakbrowne: I'm just afraid without a profile, if we add any new medium or high severity test, we might break the Cinder gate22:41
*** salv-orlando has quit IRC22:42
browneok, i can create a profile of just the current medium/highs.22:43
tmcpeakbrowne: ok cool, I think I'd feel more comfortable with that22:46
tmcpeakbrowne: check out Brant's change, I'd like to standardize on an approach so when I implement code to suggest profile changes it's easy :)22:46
brownetmcpeak: sure. on bknudson's patch i wasn't sure why some checks are excluded in the keystone case22:48
bknudsonbrowne: there's probably a way to add some docs to the yaml to say why checks are excluded.22:49
*** alex_klimov has quit IRC22:51
brownebknudson: did you use #nosec anywhere?22:51
bknudsonbrowne: not in keystone22:51
bknudsonbut then I would have excluded any test that required me adding #nosec.22:51
browneis there any noticeable performance difference when excluding some tests?22:53
bknudsonbrowne: I didn't notice any22:53
brownetmcpeak: not sure we can standardize on the profile for all projects.22:54
brownefor example, execute_with_run_as_root_equals_true might be useful for nova, but useless for keystone22:54
bknudsonkeystone has no use for that since we don't rootwrap22:55
browneand if every project excluded a check, then i wonder the usefulness of the check22:55
brownebut i guess we could provide a variety of profiles in the default yaml that matches most of the projects22:56
brownethen each project can select the profile to check in their tox.ini22:57
*** singleth_ has quit IRC23:15
*** markvoelker has quit IRC23:16
tmcpeakbrowne: no, I don't think we need to standardize on one profile, just a format23:18
tmcpeaklike if the profile name is the same23:18
tmcpeakand, for example, alphabetized checks23:18
bknudsonhere's another yikes:
brownebknudson: ha, yep, saw that earlier.  ugh23:19
browneit would be nice if bandit could run like flake8, so that profiles weren't necessary.  just configure in tox an inclusive list of checks to use23:25
bknudsonflake8 doesn't have configurable checkers23:27
browneappears to have ways to exclude at least23:28
browneor ignore i should say23:28
bknudsony, you can exclude specific tests23:28
bknudsonyou set ignore = H405 in your flake8.23:28
bknudsonI mean in the tox.ini23:29
bknudsonof course you can have a whole list of ignores23:29
bknudsonbut that's also what requires us to pin flake823:30
*** nkinder has joined #openstack-security23:42
*** sigmavirus24_awa is now known as sigmavirus2423:48
sigmavirus24bknudson: actually you can select only the checks you want to run23:49
sigmavirus24flake8 --select=E1 will take all E1xx checks and run them23:50
sigmavirus24you can also do flake8 --select=E1 --ignore=E12323:50
*** sigmavirus24 is now known as sigmavirus24_awa23:51
openstackgerritStanislaw Pitucha proposed stackforge/anchor: Update documentation
*** dave-mccowan has joined #openstack-security23:56

Generated by 2.14.0 by Marius Gedminas - find it at!