Add Bandit to CircleCI (#1907)

Related tiny-pilot/tinypilot-pro#1594

This PR updates `ruff`, [migrates our ruff config to the newer
format](https://docs.astral.sh/ruff/editors/migration/#migrating-from-ruff-lsp),
enables [ruff's `flake8-bandit`
rules](https://docs.astral.sh/ruff/rules/#flake8-bandit-s), and
addresses the [Bandit security warnings
raised](https://app.circleci.com/pipelines/github/tiny-pilot/tinypilot/4829/workflows/5ef2a71e-986a-4dd2-b2e3-8b440caa47f0/jobs/36695?invite=true#step-103-14222_64),
namely:
- [suspicious-url-open-usage
(S310)](https://docs.astral.sh/ruff/rules/suspicious-url-open-usage/#suspicious-url-open-usage-s310)
- [subprocess-without-shell-equals-true
(S603)](https://docs.astral.sh/ruff/rules/subprocess-without-shell-equals-true/#subprocess-without-shell-equals-true-s603)
- [start-process-with-partial-path
(S607)](https://docs.astral.sh/ruff/rules/start-process-with-partial-path/#start-process-with-partial-path-s607)

A note on [how Bandit
works](PyCQA/bandit#333 (comment)):
> Unfortunately bandit isn't a code-flow analysis tool so it can't
reason about what `args` is. It just flags a warning. You manually check
the warning and decide to either add `# nosec` at the end of the line or
to turn off this B603 test if you find it unhelpful.

<a data-ca-tag
href="https://codeapprove.com/pr/tiny-pilot/tinypilot/1907"><img
src="https://codeapprove.com/external/github-tag-allbg.png" alt="Review
on CodeApprove" /></a>

Author: jdeanwallace

.ruff.toml

@@ -1,10 +1,15 @@
 src = ["app"]
 
+# Assume Python 3.9.
+target-version = "py39"
+
+[lint]
 select = [
   "D", # Enable pydocstyle rules.
   "F", # Enable pyflakes rules.
   "I", # Enable isort rules.
   "Q", # Enable flake8-quotes rules.
+  "S", # Enable flake8-bandit rules.
   ]
 ignore = [
   # Disable rules that require everything to have a docstring.
@@ -26,10 +31,7 @@ exclude = [
     "venv",
 ]
 
-# Assume Python 3.9
-target-version = "py39"
-
-[flake8-quotes]
+[lint.flake8-quotes]
 # Use consistent quotes regardless of whether it allows us to minimize escape
 # sequences.
 avoid-escape = false
@@ -38,9 +40,9 @@ docstring-quotes = "double"
 inline-quotes = "single"
 multiline-quotes = "double"
 
-[isort]
+[lint.isort]
 force-single-line = true
 force-to-top = ["log"]
 
-[pydocstyle]
+[lint.pydocstyle]
 convention = "google"

app/debug_logs.py

@@ -18,7 +18,8 @@ def collect():
     """
     try:
         return subprocess.check_output([
-            'sudo', '/opt/tinypilot-privileged/scripts/collect-debug-logs', '-q'
+            '/usr/bin/sudo',
+            '/opt/tinypilot-privileged/scripts/collect-debug-logs', '-q'
         ])
     except subprocess.CalledProcessError as e:
         raise LogCollectionScriptFailedError(str(e)) from e

app/hostname.py

@@ -42,11 +42,15 @@ def change(new_hostname):
         new_hostname: The new hostname as string.
     """
     try:
-        return subprocess.check_output([
-            'sudo', '/opt/tinypilot-privileged/scripts/change-hostname',
-            new_hostname
-        ],
-                                       stderr=subprocess.STDOUT,
-                                       universal_newlines=True)
+        # The command arguments are trusted because the new hostname is
+        # validated by the caller.
+        return subprocess.check_output(  # noqa: S603
+            [
+                '/usr/bin/sudo',
+                '/opt/tinypilot-privileged/scripts/change-hostname',
+                new_hostname
+            ],
+            stderr=subprocess.STDOUT,
+            universal_newlines=True)
     except subprocess.CalledProcessError as e:
         raise HostnameChangeError(str(e.output).strip()) from e

app/local_system.py

@@ -29,10 +29,13 @@ def _exec_shutdown(restart_after):
         param = '--poweroff'
 
     try:
-        result = subprocess.run(['sudo', '/sbin/shutdown', param, 'now'],
-                                capture_output=True,
-                                text=True,
-                                check=True)
+        # The command arguments are trusted because they aren't based on user
+        # input.
+        result = subprocess.run(  # noqa: S603
+            ['/usr/bin/sudo', '/sbin/shutdown', param, 'now'],
+            capture_output=True,
+            text=True,
+            check=True)
     except subprocess.CalledProcessError as e:
         raise ShutdownError(e) from e
     if 'failed' in result.stderr.lower():

app/network.py

@@ -101,15 +101,18 @@ def inspect_interface(interface_name):
     status = InterfaceStatus(interface_name, False, None, None)
 
     try:
-        ip_cmd_out_raw = subprocess.check_output([
-            'ip',
-            '-json',
-            'address',
-            'show',
-            interface_name,
-        ],
-                                                 stderr=subprocess.STDOUT,
-                                                 universal_newlines=True)
+        # The command arguments are trusted because they aren't based on user
+        # input.
+        ip_cmd_out_raw = subprocess.check_output(  # noqa: S603
+            [
+                '/usr/bin/ip',
+                '-json',
+                'address',
+                'show',
+                interface_name,
+            ],
+            stderr=subprocess.STDOUT,
+            universal_newlines=True)
     except subprocess.CalledProcessError as e:
         logger.error('Failed to run `ip` command: %s', str(e))
         return status
@@ -148,7 +151,8 @@ def determine_wifi_settings():
         # We cannot read the wpa_supplicant.conf file directly, because it is
         # owned by the root user.
         config_lines = subprocess.check_output([
-            'sudo', '/opt/tinypilot-privileged/scripts/print-marker-sections',
+            '/usr/bin/sudo',
+            '/opt/tinypilot-privileged/scripts/print-marker-sections',
             '/etc/wpa_supplicant/wpa_supplicant.conf'
         ],
                                                stderr=subprocess.STDOUT,
@@ -181,19 +185,22 @@ def enable_wifi(wifi_settings):
     Raises:
         NetworkError
     """
+    # The command arguments are trusted because the WiFi settings are validated
+    # by the caller.
     args = [
-        'sudo', '/opt/tinypilot-privileged/scripts/enable-wifi', '--country',
-        wifi_settings.country_code, '--ssid', wifi_settings.ssid
+        '/usr/bin/sudo', '/opt/tinypilot-privileged/scripts/enable-wifi',
+        '--country', wifi_settings.country_code, '--ssid', wifi_settings.ssid
     ]
     try:
         # Ignore pylint since we're not managing the child process.
         # pylint: disable=consider-using-with
         if wifi_settings.psk:
             args.append('--psk')
-            process = subprocess.Popen(args, stdin=subprocess.PIPE, text=True)
+            process = subprocess.Popen(  # noqa: S603
+                args, stdin=subprocess.PIPE, text=True)
             process.communicate(input=wifi_settings.psk)
         else:
-            subprocess.Popen(args)
+            subprocess.Popen(args)  # noqa: S603
 
     except subprocess.CalledProcessError as e:
         raise NetworkError(str(e.output).strip()) from e
@@ -212,7 +219,7 @@ def disable_wifi():
         # Ignore pylint since we're not managing the child process.
         # pylint: disable=consider-using-with
         subprocess.Popen([
-            'sudo',
+            '/usr/bin/sudo',
             '/opt/tinypilot-privileged/scripts/disable-wifi',
         ])
     except subprocess.CalledProcessError as e:

app/update/launcher.py

@@ -36,4 +36,4 @@ def start_async():
     # Ignore pylint since we're not managing the child process.
     # pylint: disable=consider-using-with
     subprocess.Popen(
-        ('sudo', '/usr/sbin/service', 'tinypilot-updater', 'start'))
+        ('/usr/bin/sudo', '/usr/sbin/service', 'tinypilot-updater', 'start'))

app/update/launcher_test.py

@@ -21,7 +21,8 @@ def test_launches_update_when_no_update_is_running(self, mock_status_get,
 
         mock_clear.assert_called()
         mock_popen.assert_called_once_with(
-            ('sudo', '/usr/sbin/service', 'tinypilot-updater', 'start'))
+            ('/usr/bin/sudo', '/usr/sbin/service', 'tinypilot-updater',
+             'start'))
 
     @mock.patch.object(launcher.subprocess, 'Popen')
     @mock.patch.object(launcher.update.result_store, 'clear')
@@ -34,7 +35,8 @@ def test_launches_update_when_previous_update_succeeded(
 
         mock_clear.assert_called()
         mock_popen.assert_called_once_with(
-            ('sudo', '/usr/sbin/service', 'tinypilot-updater', 'start'))
+            ('/usr/bin/sudo', '/usr/sbin/service', 'tinypilot-updater',
+             'start'))
 
     @mock.patch.object(launcher.subprocess, 'Popen')
     @mock.patch.object(launcher.update.result_store, 'clear')
@@ -48,7 +50,8 @@ def test_launches_update_when_previous_update_failed(
 
         mock_clear.assert_called_once()
         mock_popen.assert_called_once_with(
-            ('sudo', '/usr/sbin/service', 'tinypilot-updater', 'start'))
+            ('/usr/bin/sudo', '/usr/sbin/service', 'tinypilot-updater',
+             'start'))
 
     @mock.patch.object(launcher.subprocess, 'Popen')
     @mock.patch.object(launcher.update.result_store, 'clear')

app/update_logs.py

@@ -33,9 +33,12 @@ def read():
     """
     logger.info('Running read-update-log')
     try:
-        output = subprocess.check_output(['sudo', _READ_SCRIPT_PATH],
-                                         stderr=subprocess.STDOUT,
-                                         universal_newlines=True)
+        # The command arguments are trusted because they aren't based on user
+        # input.
+        output = subprocess.check_output(  # noqa: S603
+            ['/usr/bin/sudo', _READ_SCRIPT_PATH],
+            stderr=subprocess.STDOUT,
+            universal_newlines=True)
     except subprocess.CalledProcessError as e:
         raise UpdateLogsReadError(str(e.output).strip()) from e
     logger.info('read-update-log completed successfully')

app/version.py

@@ -83,7 +83,8 @@ def latest_version():
             to the Gatekeeper API.
     """
     try:
-        with urllib.request.urlopen(
+        # The URL is trusted because it's not based on user input.
+        with urllib.request.urlopen(  # noqa: S310
                 f'{env.GATEKEEPER_BASE_URL}/community/available-update',
                 timeout=10) as response:
             response_bytes = response.read()

app/video_service.py

@@ -33,7 +33,7 @@ def _restart_ustreamer():
     logger.info('Triggering ustreamer restart...')
     try:
         subprocess.check_output(
-            ['sudo', '/usr/sbin/service', 'ustreamer', 'restart'],
+            ['/usr/bin/sudo', '/usr/sbin/service', 'ustreamer', 'restart'],
             stderr=subprocess.STDOUT,
             universal_newlines=True)
     except subprocess.CalledProcessError as e:
@@ -53,18 +53,19 @@ def _restart_janus():
     """
     logger.info('Writing janus configuration...')
     try:
-        subprocess.check_output(
-            ['sudo', '/opt/tinypilot-privileged/scripts/configure-janus'],
-            stderr=subprocess.STDOUT,
-            universal_newlines=True)
+        subprocess.check_output([
+            '/usr/bin/sudo', '/opt/tinypilot-privileged/scripts/configure-janus'
+        ],
+                                stderr=subprocess.STDOUT,
+                                universal_newlines=True)
     except subprocess.CalledProcessError as e:
         logger.error('Failed to configure janus: %s', e)
         return
 
     logger.info('Triggering janus restart...')
     try:
         subprocess.check_output(
-            ['sudo', '/usr/sbin/service', 'janus', 'restart'],
+            ['/usr/bin/sudo', '/usr/sbin/service', 'janus', 'restart'],
             stderr=subprocess.STDOUT,
             universal_newlines=True)
     except subprocess.CalledProcessError as e: