semgrep config and mitigation

carl-adams-planet · carl-adams-planet · commit aaab53cad77c · 2024-12-09T11:13:12.000-08:00
diff --git a/noxfile.py b/noxfile.py
@@ -23,8 +23,8 @@ def pytest(session):
 @nox.session(python=_DEFAULT_PYTHON)
 def semgrep_src(session):
     session.install("-e", ".[tests]")
-    # session.run("semgrep", "scan", "--strict", "--verbose", "--junit-xml", "--junit-xml-output=semgrep-src.xml", "src")
-    session.run("semgrep", "scan", "--strict", "--verbose", "src")
+    # session.run("semgrep", "scan", "--strict", "--verbose", "--error", "--junit-xml", "--junit-xml-output=semgrep-src.xml", "src")
+    session.run("semgrep", "scan", "--strict", "--verbose", "--error", "src")
 
 
 @nox.session(name="black-lint", python=_DEFAULT_PYTHON)
diff --git a/src/planet_auth/oidc/api_clients/authorization_api_client.py b/src/planet_auth/oidc/api_clients/authorization_api_client.py
@@ -14,7 +14,7 @@
 
 import getpass
 import http.server
-import importlib.resources as pkg_resources
+import importlib.resources as pkg_resources  # nosemgrep
 
 from http import HTTPStatus
 from urllib.parse import urlparse, parse_qs, urlencode
diff --git a/src/planet_auth/oidc/multi_validator.py b/src/planet_auth/oidc/multi_validator.py
@@ -225,7 +225,7 @@ def _check_access_token(
     def _select_validator(self, token) -> Auth:
         # WARNING: Treat unverified token claims like toxic waste.
         #          Nothing can be trusted until the token is verified.
-        unverified_decoded_token = jwt.decode(token, options={"verify_signature": False})
+        unverified_decoded_token = jwt.decode(token, options={"verify_signature": False})  # nosemgrep
         issuer = unverified_decoded_token.get("iss")
         if not issuer:
             # PyJWT does not seem to raise if the issuer is explicitly None, even when
diff --git a/src/planet_auth/oidc/request_authenticator.py b/src/planet_auth/oidc/request_authenticator.py
@@ -64,7 +64,7 @@ def _load(self):
             self._credential.load()
 
         access_token_str = self._credential.access_token()
-        unverified_decoded_atoken = jwt.decode(access_token_str, options={"verify_signature": False})
+        unverified_decoded_atoken = jwt.decode(access_token_str, options={"verify_signature": False})  # nosemgrep
         iat = unverified_decoded_atoken.get("iat") or 0
         exp = unverified_decoded_atoken.get("exp") or 0
         # refresh at the 3/4 life
diff --git a/src/planet_auth/planet_legacy/auth_client.py b/src/planet_auth/planet_legacy/auth_client.py
@@ -149,7 +149,7 @@ def _parse_json_response(response, json_response):
 
         # The token is signed with a symmetric key.  The client does not
         # possess this key, and cannot verify the JWT.
-        decoded_jwt = jwt.decode(token_jwt, options={"verify_signature": False})
+        decoded_jwt = jwt.decode(token_jwt, options={"verify_signature": False})  # nosemgrep
         api_key = decoded_jwt.get("api_key")
         if not api_key:
             raise PlanetLegacyAuthClientException(
diff --git a/src/planet_auth_utils/builtins.py b/src/planet_auth_utils/builtins.py
@@ -63,6 +63,10 @@ def _load_builtins_worker(builtin_provider_fq_class_name, log_warning=False):
 
 def _load_builtins() -> BuiltinConfigurationProviderInterface:
     # Highest priority : injected
+    # WARNING: This environment variable is highly sensitive.
+    #     Undermining it can undermine client or service security.
+    #     It is a convenience for seamless developer experience, but maybe
+    #     we should not be so eager to please.
     builtin_provider = _load_builtins_worker(os.getenv(EnvironmentVariables.AUTH_BUILTIN_PROVIDER))
     if builtin_provider:
         return builtin_provider
