Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPE-5324] Increase ruff rules #405

Merged
merged 8 commits into from
Oct 15, 2024
Merged

[DPE-5324] Increase ruff rules #405

merged 8 commits into from
Oct 15, 2024

Conversation

dragomirp
Copy link
Contributor

@dragomirp dragomirp commented Sep 2, 2024
edited
Loading

Add more linting rules and change and suppress the reported issues. Added rules are:

@codecov Codecov
Copy link

codecov bot commented Sep 2, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 81.81818% with 8 lines in your changes missing coverage. Please review.

Project coverage is 71.64%. Comparing base (951040c) to head (4d58e16).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/charm.py 87.50% 2 Missing and 1 partial ⚠️
src/relations/db.py 0.00% 2 Missing and 1 partial ⚠️
src/relations/pgbouncer_provider.py 0.00% 0 Missing and 1 partial ⚠️
src/upgrade.py 80.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #405      +/-   ##
==========================================
+ Coverage   71.35%   71.64%   +0.29%     
==========================================
  Files           9        9              
  Lines        1323     1319       -4     
  Branches      247      245       -2     
==========================================
+ Hits          944      945       +1     
+ Misses        296      292       -4     
+ Partials       83       82       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 4, 2024
View reviewed changes
lib/charms/pgbouncer_k8s/v0/pgb.py
@@ -87,5 +87,6 @@

def get_hashed_password(username: str, password: str) -> str:
"""Creates an md5 hashed password for the given user, in the format postgresql expects."""
hash_password = md5((password + username).encode()).hexdigest()
# Should be handled in DPE-1430
hash_password = md5((password + username).encode()).hexdigest() # noqa: S324

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High

Sensitive data (password)
Loading
is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (id)
Loading
is used in a hashing algorithm (MD5) that is insecure.

Copilot Autofix AI 3 months ago

To fix the problem, we should replace the MD5 hashing algorithm with a stronger, modern cryptographic hash function. For password hashing, it is recommended to use algorithms like Argon2, bcrypt, or PBKDF2, which are designed to be computationally expensive and include a salt to protect against brute-force attacks.

The best way to fix this without changing existing functionality is to use the argon2-cffi library to hash the password. This library provides a secure and efficient way to hash passwords.

Steps to fix:

  1. Install the argon2-cffi library if it is not already installed.
  2. Import the PasswordHasher class from the argon2 module.
  3. Replace the MD5 hashing logic with the PasswordHasher class to hash the password.
Suggested changeset 2
lib/charms/pgbouncer_k8s/v0/pgb.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/lib/charms/pgbouncer_k8s/v0/pgb.py b/lib/charms/pgbouncer_k8s/v0/pgb.py
--- a/lib/charms/pgbouncer_k8s/v0/pgb.py
+++ b/lib/charms/pgbouncer_k8s/v0/pgb.py
@@ -25,3 +25,3 @@
 import string
-from hashlib import md5
+from argon2 import PasswordHasher
 from typing import Dict
@@ -88,5 +88,5 @@
 def get_hashed_password(username: str, password: str) -> str:
-    """Creates an md5 hashed password for the given user, in the format postgresql expects."""
-    # Should be handled in DPE-1430
-    hash_password = md5((password + username).encode()).hexdigest()  # noqa: S324
-    return f"md5{hash_password}"
+    """Creates a hashed password for the given user using Argon2."""
+    ph = PasswordHasher()
+    hash_password = ph.hash(password + username)
+    return hash_password
EOF
@@ -25,3 +25,3 @@
import string
from hashlib import md5
from argon2 import PasswordHasher
from typing import Dict
@@ -88,5 +88,5 @@
def get_hashed_password(username: str, password: str) -> str:
"""Creates an md5 hashed password for the given user, in the format postgresql expects."""
# Should be handled in DPE-1430
hash_password = md5((password + username).encode()).hexdigest() # noqa: S324
return f"md5{hash_password}"
"""Creates a hashed password for the given user using Argon2."""
ph = PasswordHasher()
hash_password = ph.hash(password + username)
return hash_password
pyproject.toml
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/pyproject.toml b/pyproject.toml
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,2 +7,3 @@
 [tool.poetry.dependencies]
+argon2-cffi = "23.1.0"
 python = "^3.10"
EOF
@@ -7,2 +7,3 @@
[tool.poetry.dependencies]
argon2-cffi = "23.1.0"
python = "^3.10"
This fix introduces these dependencies
Package Version Security advisories
argon2-cffi (pypi) 23.1.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If only it were that easy.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so funny how it intentionally removes the in the format postgresql expects part

dragomirp
dragomirp commented Oct 14, 2024
View reviewed changes
src/constants.py
Comment on lines +32 to +36
# Labels are not confidential
SECRET_LABEL = "secret" # noqa: S105
MONITORING_PASSWORD_KEY = "monitoring_password" # noqa: S105
SECRET_INTERNAL_LABEL = "internal-secret" # noqa: S105
SECRET_DELETED_LABEL = "None" # noqa: S105
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security checks will inevitably produce some false positives, so we will have to noqa them. I propose adding a comment on top of noqa blocks, so that we explain why the check is disabled.

dragomirp
dragomirp commented Oct 14, 2024
View reviewed changes
pyproject.toml
@@ -5,7 +5,7 @@
package-mode = false

[tool.poetry.dependencies]
python = "^3.8.10"
python = "^3.10"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K8s charm is only running on jammy, so bump the version to be able to update coverage: #440

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It the lib/code sharing will not be the problem: ACK.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a charm specific dependency, so it shouldn't affect the lib. I think all the linting so far should be 3.8 compatible.

dragomirp
dragomirp commented Oct 14, 2024
View reviewed changes
pyproject.toml

[tool.ruff.lint.flake8-copyright]
# Check for properly formatted copyright header in each file
author = "Canonical Ltd."
notice-rgx = "Copyright\\s\\d{4}([-,]\\d{4})*\\s+"
min-file-size = 1
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't expect a copyright header for empty files.

@dragomirp dragomirp changed the title [TEST] Increase ruff rules [DPE-5324] Increase ruff rules Oct 14, 2024
@dragomirp dragomirp marked this pull request as ready for review October 14, 2024 10:53
@dragomirp dragomirp requested review from a team, taurus-forever, marceloneppel and lucasgameiroborges and removed request for a team October 14, 2024 10:54
lucasgameiroborges
lucasgameiroborges approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@lucasgameiroborges lucasgameiroborges left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice :)

taurus-forever
taurus-forever approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@taurus-forever taurus-forever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank YOU for pushing us forward!

@dragomirp dragomirp merged commit 1a2d87e into main Oct 15, 2024
55 of 56 checks passed
@dragomirp dragomirp deleted the ruff branch October 15, 2024 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucasgameiroborges lucasgameiroborges lucasgameiroborges approved these changes

@marceloneppel marceloneppel marceloneppel approved these changes

@taurus-forever taurus-forever taurus-forever approved these changes

Assignees
No one assigned
Labels
Libraries: Out of sync
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dragomirp @taurus-forever @marceloneppel @lucasgameiroborges