Cleanups for bandit

Set bandit to ignore use of md5.

Treat schema from database as trusted to eval. We wrote it based on
the schema.py file.

Replace some bare except: with a proper exception.

mode 775 for index directory is correct. Allows indices to be written
by email and web interfaces that run as different users but can have
the roundup group in common.

Author: rouilj

roundup/backends/back_anydbm.py

@@ -2217,7 +2217,7 @@ def get(self, nodeid, propname, default=_marker, cache=1):
                 # calculation of the object.
                 return ('%s%s is not text, retrieve using '
                         'binary_content property. mdsum: %s')%(self.classname,
-                   nodeid, md5(self.db.getfile(self.classname, nodeid, None)).hexdigest())
+                   nodeid, md5(self.db.getfile(self.classname, nodeid, None)).hexdigest())  # nosec - bandit md5 use ok
         elif propname == 'binary_content':
             return self.db.getfile(self.classname, nodeid, None)
 

roundup/backends/back_mysql.py

@@ -65,7 +65,7 @@ def db_nuke(config):
         conn = MySQLdb.connect(**kwargs)
         try:
             conn.select_db(config.RDBMS_NAME)
-        except:
+        except MySQLdb.Error:
             # no, it doesn't exist
             pass
         else:
@@ -203,7 +203,8 @@ def load_dbschema(self):
         self.cursor.execute('select `schema` from `schema`')
         schema = self.cursor.fetchone()
         if schema:
-            self.database_schema = eval(schema[0])
+            # bandit - schema is trusted
+            self.database_schema = eval(schema[0])  # nosec
         else:
             self.database_schema = {}
 

roundup/backends/blobfiles.py

@@ -282,7 +282,7 @@ def filename(self, classname, nodeid, property=None, create=0):
             try:
                 # Clean up, by performing the commit now.
                 os.rename(tempfile, filename)
-            except:
+            except OSError:
                 pass
             # If two Roundup clients both try to rename the file
             # at the same time, only one of them will succeed.

roundup/backends/indexer_dbm.py

@@ -62,7 +62,7 @@ def force_reindex(self):
         if os.path.exists(self.indexdb_path):
             shutil.rmtree(self.indexdb_path)
         os.makedirs(self.indexdb_path)
-        os.chmod(self.indexdb_path, 0o775)
+        os.chmod(self.indexdb_path, 0o775)  # nosec - allow group write
         open(os.path.join(self.indexdb_path, 'version'), 'w').write('1\n')
         self.reindex = 1
         self.changed = 1

roundup/backends/rdbms_common.py

@@ -80,7 +80,7 @@ def _num_cvt(num):
     num = str(num)
     try:
         return int(num)
-    except:
+    except ValueError:
         return float(num)
 
 def _bool_cvt(value):
@@ -273,7 +273,8 @@ def load_dbschema(self):
         self.cursor.execute('select schema from schema')
         schema = self.cursor.fetchone()
         if schema:
-            self.database_schema = eval(schema[0])
+            # bandit - schema is trusted
+            self.database_schema = eval(schema[0])  # nosec
         else:
             self.database_schema = {}
 
@@ -672,7 +673,7 @@ def add_class_key_required_unique_constraint(self, cn, key):
             on _%s(__retired__, _%s)'''%(cn, cn, key)
         try:
             self.sql(sql)
-        except Exception:
+        except Exception:  # nosec
             # XXX catch e.g.:
             # _sqlite.DatabaseError: index _status_key_retired_idx already exists
             pass
@@ -3117,7 +3118,7 @@ def get(self, nodeid, propname, default=_marker, cache=1):
                 # calculation of the object.
                 return ('%s%s is not text, retrieve using '
                         'binary_content property. mdsum: %s')%(self.classname,
-                   nodeid, md5(self.db.getfile(self.classname, nodeid, None)).hexdigest())
+                   nodeid, md5(self.db.getfile(self.classname, nodeid, None)).hexdigest())  # nosec - bandit md5 use ok
         elif propname == 'binary_content':
             return self.db.getfile(self.classname, nodeid, None)