From d4c213d678afc8c26b5f67e3292a062a7a649ba6 Mon Sep 17 00:00:00 2001
From: Brendan Reilly <breilly@redhat.com>
Date: Jul 21 2022 13:09:12 +0000
Subject: Resolve issues reported by bandit


---

diff --git a/module_build_service/builder/KojiContentGenerator.py b/module_build_service/builder/KojiContentGenerator.py
index f7a8a27..39ece97 100644
--- a/module_build_service/builder/KojiContentGenerator.py
+++ b/module_build_service/builder/KojiContentGenerator.py
@@ -160,7 +160,8 @@ class KojiContentGenerator(object):
         fmt = sep.join(["%%{%s}" % tag for tag in tags])
         cmd = "/bin/rpm -qa --qf '{0}\n'".format(fmt)
         with open("/dev/null", "r+") as devnull:
-            p = subprocess.Popen(
+            # subprocess call does not take user input, thus risk is low
+            p = subprocess.Popen(  # nosec
                 cmd, shell=True, stdin=devnull, stdout=subprocess.PIPE, stderr=devnull)
 
             (stdout, stderr) = p.communicate()
@@ -361,7 +362,7 @@ class KojiContentGenerator(object):
                 mmd = load_mmd(data)
                 ret["filename"] = mmd_filename
                 ret["filesize"] = len(raw_data)
-                ret["checksum"] = hashlib.md5(raw_data).hexdigest()
+                ret["checksum"] = hashlib.md5(raw_data, usedforsecurity=False).hexdigest()
         except IOError:
             if arch == "src":
                 # This might happen in case the Module is submitted directly
@@ -403,7 +404,7 @@ class KojiContentGenerator(object):
         try:
             log_path = os.path.join(output_path, "build.log")
             with open(log_path, "rb") as build_log:
-                checksum = hashlib.md5(build_log.read()).hexdigest()
+                checksum = hashlib.md5(build_log.read(), usedforsecurity=False).hexdigest()
             stat = os.stat(log_path)
             ret.append(
                 {
diff --git a/module_build_service/builder/KojiModuleBuilder.py b/module_build_service/builder/KojiModuleBuilder.py
index 504fb65..2db0fe5 100644
--- a/module_build_service/builder/KojiModuleBuilder.py
+++ b/module_build_service/builder/KojiModuleBuilder.py
@@ -414,7 +414,8 @@ class KojiModuleBuilder(GenericBuilder):
         if len(nsvc_tag) + len("-build") > max_length:
             # Fallback to the old format of 'module-<hash>' if the generated koji tag
             # name is longer than max_length
-            nsvc_hash = hashlib.sha1(".".join(nsvc_list).encode("utf-8")).hexdigest()[:16]
+            nsvc_hash = hashlib.sha1(".".join(nsvc_list).encode("utf-8"),
+                                     usedforsecurity=False).hexdigest()[:16]
             return prefix + nsvc_hash + suffix
         return nsvc_tag
 
diff --git a/module_build_service/builder/MockModuleBuilder.py b/module_build_service/builder/MockModuleBuilder.py
index df9a1b8..0cf5a1d 100644
--- a/module_build_service/builder/MockModuleBuilder.py
+++ b/module_build_service/builder/MockModuleBuilder.py
@@ -459,7 +459,9 @@ class MockModuleBuilder(GenericBuilder):
                 config_opts = {}
                 code = compile(f.read(), infile, "exec")
                 # pylint: disable=exec-used
-                exec(code)
+                # exec is not being called with user input
+                # only used for local builds, never on the server
+                exec(code)  # nosec
 
                 self.groups = config_opts["chroot_setup_cmd"].split(" ")[1:]
                 self.yum_conf = config_opts["yum.conf"]
diff --git a/module_build_service/builder/utils.py b/module_build_service/builder/utils.py
index 78420ea..1e06071 100644
--- a/module_build_service/builder/utils.py
+++ b/module_build_service/builder/utils.py
@@ -190,7 +190,7 @@ def get_rpm_release(db_session, module_build):
         str(module_build.version),
         str(module_build.context),
     ]).encode("utf-8")
-    dist_hash = hashlib.sha1(dist_str).hexdigest()[:8]
+    dist_hash = hashlib.sha1(dist_str, usedforsecurity=False).hexdigest()[:8]
 
     # We need to share the same auto-incrementing index in dist tag between all MSE builds.
     # We can achieve that by using the lowest build ID of all the MSE siblings including
diff --git a/module_build_service/common/config.py b/module_build_service/common/config.py
index e317384..6f3ce62 100644
--- a/module_build_service/common/config.py
+++ b/module_build_service/common/config.py
@@ -35,7 +35,7 @@ class BaseConfiguration(object):
         os.getcwd(), "module_build_service.db"))
     SQLALCHEMY_TRACK_MODIFICATIONS = True
     # Where we should run when running "manage.py run" directly.
-    HOST = "0.0.0.0"
+    HOST = None  # Flask will default to 127.0.0.1
     PORT = 5000
 
 
diff --git a/module_build_service/common/models.py b/module_build_service/common/models.py
index ae1e491..ac0901e 100644
--- a/module_build_service/common/models.py
+++ b/module_build_service/common/models.py
@@ -548,7 +548,7 @@ class ModuleBuild(MBSBase):
             if dep not in deps_to_filter
         }
         property_json = json.dumps(OrderedDict(sorted(mmd_formatted_buildrequires.items())))
-        return hashlib.sha1(property_json.encode("utf-8")).hexdigest()
+        return hashlib.sha1(property_json.encode("utf-8"), usedforsecurity=False).hexdigest()
 
     @staticmethod
     def calculate_runtime_context(mmd_dependencies):
@@ -567,7 +567,7 @@ class ModuleBuild(MBSBase):
         # Sort the streams for each module name and also sort the module names.
         mmd_requires = {dep: sorted(list(streams)) for dep, streams in mmd_requires.items()}
         property_json = json.dumps(OrderedDict(sorted(mmd_requires.items())))
-        return hashlib.sha1(property_json.encode("utf-8")).hexdigest()
+        return hashlib.sha1(property_json.encode("utf-8"), usedforsecurity=False).hexdigest()
 
     @staticmethod
     def calculate_module_context(build_context, runtime_context):
@@ -581,7 +581,7 @@ class ModuleBuild(MBSBase):
         :return: module context hash
         """
         combined_hashes = "{0}:{1}".format(build_context, runtime_context)
-        return hashlib.sha1(combined_hashes.encode("utf-8")).hexdigest()[:8]
+        return hashlib.sha1(combined_hashes.encode("utf-8"), usedforsecurity=False).hexdigest()[:8]
 
     def siblings(self, db_session):
         query = db_session.query(ModuleBuild).filter(
diff --git a/module_build_service/manage.py b/module_build_service/manage.py
index 5882d79..06c35d0 100755
--- a/module_build_service/manage.py
+++ b/module_build_service/manage.py
@@ -291,7 +291,7 @@ def retire(identifier, confirm=False):
 @console_script_help
 @manager.command
 def run(host=None, port=None, debug=None):
-    """ Runs the Flask app, locally.
+    """ Runs the Flask app, locally. Intended for dev instances, should not be used for production.
     """
     host = host or conf.host
     port = port or conf.port
diff --git a/module_build_service/migrations/versions/708ac8950f55_set_from_mmd_context.py b/module_build_service/migrations/versions/708ac8950f55_set_from_mmd_context.py
index 0d80965..39ab338 100644
--- a/module_build_service/migrations/versions/708ac8950f55_set_from_mmd_context.py
+++ b/module_build_service/migrations/versions/708ac8950f55_set_from_mmd_context.py
@@ -58,6 +58,6 @@ def downgrade():
         if build.build_context and build.runtime_context:
             combined_hashes = '{0}:{1}'.format(
                 build.build_context, build.runtime_context).encode('utf-8')
-            context = hashlib.sha1(combined_hashes).hexdigest()[:8]
+            context = hashlib.sha1(combined_hashes, usedforsecurity=False).hexdigest()[:8]
             connection.execute(
                 modulebuild.update().where(modulebuild.c.id == build.id).values(context=context))
diff --git a/module_build_service/migrations/versions/9ca1c166f426_contexts.py b/module_build_service/migrations/versions/9ca1c166f426_contexts.py
index 7d30348..82e8dd7 100644
--- a/module_build_service/migrations/versions/9ca1c166f426_contexts.py
+++ b/module_build_service/migrations/versions/9ca1c166f426_contexts.py
@@ -60,7 +60,7 @@ def upgrade():
             mmd_formatted_property = {
                 dep: info['ref'] for dep, info in mbs_xmd[xmd_name].items()}
             property_json = json.dumps(OrderedDict(sorted(mmd_formatted_property.items())))
-            contexts[xmd_name] = hashlib.sha1(property_json).hexdigest()
+            contexts[xmd_name] = hashlib.sha1(property_json, usedforsecurity=False).hexdigest()
 
         # Update the database now
         if len(contexts) == 2:
diff --git a/module_build_service/migrations/versions/c8e2fc555399_add_modulebuild_context.py b/module_build_service/migrations/versions/c8e2fc555399_add_modulebuild_context.py
index a66f258..0a05869 100644
--- a/module_build_service/migrations/versions/c8e2fc555399_add_modulebuild_context.py
+++ b/module_build_service/migrations/versions/c8e2fc555399_add_modulebuild_context.py
@@ -36,7 +36,7 @@ def upgrade():
         if build.build_context and build.runtime_context:
             combined_hashes = '{0}:{1}'.format(
                 build.build_context, build.runtime_context).encode('utf-8')
-            context = hashlib.sha1(combined_hashes).hexdigest()[:8]
+            context = hashlib.sha1(combined_hashes, usedforsecurity=False).hexdigest()[:8]
             connection.execute(
                 modulebuild.update().where(modulebuild.c.id == build.id).values(
                     context=context))
diff --git a/module_build_service/migrations/versions/caeae7a4f537_ref_build_context.py b/module_build_service/migrations/versions/caeae7a4f537_ref_build_context.py
index ffc2e25..ad8250d 100644
--- a/module_build_service/migrations/versions/caeae7a4f537_ref_build_context.py
+++ b/module_build_service/migrations/versions/caeae7a4f537_ref_build_context.py
@@ -62,7 +62,7 @@ def upgrade():
         mmd_formatted_buildrequires = {
             dep: info['stream'] for dep, info in mbs_xmd["buildrequires"].items()}
         property_json = json.dumps(OrderedDict(sorted(mmd_formatted_buildrequires.items())))
-        context = hashlib.sha1(property_json).hexdigest()
+        context = hashlib.sha1(property_json, usedforsecurity=False).hexdigest()
 
         # Update the database now
         connection.execute(