diff --git a/.github/change_filters.yml b/.github/change_filters.yml index acea093964a5..df5582c6c10d 100644 --- a/.github/change_filters.yml +++ b/.github/change_filters.yml @@ -1,5 +1,6 @@ backend: - 'pyproject.toml' + - 'poetry.lock' - 'rasa/**/*' - 'tests/**/*' - 'data/**/*' @@ -8,6 +9,7 @@ backend: docker: - 'pyproject.toml' + - 'poetry.lock' - 'rasa/**/*' - 'docker/**/*' - 'Makefile' diff --git a/.github/workflows/continous-integration.yml b/.github/workflows/continous-integration.yml index 6b819a08a6d4..602977daae3d 100644 --- a/.github/workflows/continous-integration.yml +++ b/.github/workflows/continous-integration.yml @@ -52,6 +52,7 @@ jobs: steps: - name: Checkout git repository 🕝 + if: needs.changes.outputs.docs == 'true' uses: actions/checkout@v2 - name: Set up Python 3.7 🐍 @@ -118,6 +119,7 @@ jobs: steps: - name: Checkout git repository 🕝 + if: needs.changes.outputs.backend == 'true' uses: actions/checkout@v2 - name: Set up Python 3.7 🐍 @@ -192,6 +194,7 @@ jobs: steps: - name: Checkout git repository 🕝 + if: needs.changes.outputs.backend == 'true' uses: actions/checkout@v2 - name: Set up Python ${{ matrix.python-version }} 🐍 @@ -290,6 +293,7 @@ jobs: steps: - name: Checkout git repository 🕝 + if: needs.changes.outputs.docker == 'true' uses: actions/checkout@v2 - name: Free disk space diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml index 333f9e3a3b63..a435fb65d970 100644 --- a/.github/workflows/security-scans.yml +++ b/.github/workflows/security-scans.yml @@ -5,6 +5,21 @@ on: types: [opened, synchronize, labeled] jobs: + changes: + name: Check for file changes + runs-on: ubuntu-latest + outputs: + backend: ${{ steps.filter.outputs.backend }} + docker: ${{ steps.filter.outputs.docker }} + docs: ${{ steps.filter.outputs.docs }} + steps: + - uses: actions/checkout@v2 + - uses: RasaHQ/pr-changed-files-filter@c4f7116a04b8a4596313469429e2ad235f59d9c4 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + filters: .github/change_filters.yml + cleanup_runs: name: Cancel old branch builds runs-on: ubuntu-latest @@ -27,3 +42,51 @@ jobs: - name: Gitleaks - detecting hardcoded secrets uses: zricethezav/gitleaks-action@v1.1.4 + + bandit: + name: Detect python security issues + runs-on: ubuntu-latest + needs: [changes] + + steps: + - name: Checkout git repository 🕝 + if: needs.changes.outputs.backend == 'true' + uses: actions/checkout@v2 + + - name: Set up Python 3.7 🐍 + if: needs.changes.outputs.backend == 'true' + uses: actions/setup-python@v1 + with: + python-version: 3.7 + + - name: Read Poetry Version 🔢 + if: needs.changes.outputs.backend == 'true' + run: | + echo "POETRY_VERSION=$(scripts/poetry-version.sh)" >> $GITHUB_ENV + shell: bash + + - name: Install poetry 🦄 + if: needs.changes.outputs.backend == 'true' + uses: Gr1N/setup-poetry@v4 + with: + poetry-version: ${{ env.POETRY_VERSION }} + + - name: Set up virtual environment + if: needs.changes.outputs.backend == 'true' + run: poetry config virtualenvs.in-project true + + - name: Load Poetry Cached Libraries ⬇ + if: needs.changes.outputs.backend == 'true' + uses: actions/cache@v1 + with: + path: .venv + key: ${{ runner.os }}-poetry-3.7-${{ hashFiles('**/poetry.lock') }} + restore-keys: ${{ runner.os }}-poetry-3.7 + + - name: Install Dependencies (Linux) 📦 + if: needs.changes.outputs.backend == 'true' + run: make install + + - name: Run Bandit 🔪 + if: needs.changes.outputs.backend == 'true' + run: make lint-security diff --git a/Makefile b/Makefile index 8dd1312f4d12..ee3cda52f057 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,8 @@ help: @echo " Check docstring conventions in changed files." @echo " types" @echo " Check for type errors using mypy." + @echo " static-checks" + @echo " Run all python static checks." @echo " prepare-tests-ubuntu" @echo " Install system requirements for running tests on Ubuntu and Debian based systems." @echo " prepare-tests-macos" @@ -83,6 +85,9 @@ endif # Diff of uncommitted changes for running locally git diff HEAD -- rasa | poetry run flake8 --select D --diff +lint-security: + poetry run bandit -ll -ii -r --config bandit.yml rasa/* + types: # FIXME: working our way towards removing these # see https://github.com/RasaHQ/rasa/pull/6470 @@ -107,6 +112,8 @@ types: --disable-error-code no-redef \ --disable-error-code func-returns-value +static-checks: lint lint-security types + prepare-spacy: poetry install -E spacy poetry run python -m spacy download en_core_web_md diff --git a/bandit.yml b/bandit.yml new file mode 100644 index 000000000000..e966f0d39800 --- /dev/null +++ b/bandit.yml @@ -0,0 +1,4 @@ +# B322: checks for `input()` which is unsafe in Python 2, but safe in Python 3. +# B104: checks for binding 0.0.0.0 interface, which should be fine for containers. +# B301: checks for pickle usage, which is a necessary evil. +skips: ['B322', 'B104', 'B301'] diff --git a/changelog/7284.improvement.md b/changelog/7284.improvement.md new file mode 100644 index 000000000000..5f7f479a6d11 --- /dev/null +++ b/changelog/7284.improvement.md @@ -0,0 +1,2 @@ +Run [`bandit`](https://bandit.readthedocs.io/en/latest/) checks on pull requests. +Introduce `make static-checks` command to run all static checks locally. diff --git a/poetry.lock b/poetry.lock index 47dc9404bb52..311b4f19d1b1 100644 --- a/poetry.lock +++ b/poetry.lock @@ -314,6 +314,26 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "bandit" +version = "1.6.3" +description = "Security oriented static analyser for python code." +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.dependencies] +colorama = {version = ">=0.3.9", markers = "platform_system == \"Windows\""} +GitPython = ">=1.0.1" +PyYAML = ">=5.3.1" +six = ">=1.10.0" +stevedore = ">=1.20.0" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "black" version = "19.10b0" @@ -370,14 +390,14 @@ reference = "rasa-pypi" [[package]] name = "boto3" -version = "1.16.30" +version = "1.16.33" description = "The AWS SDK for Python" category = "main" optional = false python-versions = "*" [package.dependencies] -botocore = ">=1.19.30,<1.20.0" +botocore = ">=1.19.33,<1.20.0" jmespath = ">=0.7.1,<1.0.0" s3transfer = ">=0.3.0,<0.4.0" @@ -388,7 +408,7 @@ reference = "rasa-pypi" [[package]] name = "botocore" -version = "1.19.30" +version = "1.19.33" description = "Low-level, data-driven core of boto 3." category = "main" optional = false @@ -552,7 +572,7 @@ reference = "rasa-pypi" [[package]] name = "coloredlogs" -version = "14.0" +version = "14.2" description = "Colored terminal output for Python's logging module" category = "main" optional = false @@ -637,14 +657,14 @@ reference = "rasa-pypi" [[package]] name = "cryptography" -version = "3.2.1" +version = "3.3.1" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." category = "main" optional = false -python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" +python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*" [package.dependencies] -cffi = ">=1.8,<1.11.3 || >1.11.3" +cffi = ">=1.12" six = ">=1.4.1" [package.extras] @@ -981,6 +1001,22 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "gitdb" +version = "4.0.5" +description = "Git Object Database" +category = "dev" +optional = false +python-versions = ">=3.4" + +[package.dependencies] +smmap = ">=3.0.1,<4" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "github3.py" version = "1.3.0" @@ -1004,6 +1040,22 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "gitpython" +version = "3.1.11" +description = "Python Git Library" +category = "dev" +optional = false +python-versions = ">=3.4" + +[package.dependencies] +gitdb = ">=4.0.1,<5" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "google-api-core" version = "1.23.0" @@ -1333,7 +1385,7 @@ reference = "rasa-pypi" [[package]] name = "humanfriendly" -version = "9.0" +version = "9.1" description = "Human friendly output for text interfaces using Python" category = "main" optional = false @@ -1797,7 +1849,7 @@ reference = "rasa-pypi" [[package]] name = "mock" -version = "4.0.2" +version = "4.0.3" description = "Rolling backport of unittest.mock for all Pythons" category = "dev" optional = false @@ -1806,7 +1858,7 @@ python-versions = ">=3.6" [package.extras] build = ["twine", "wheel", "blurb"] docs = ["sphinx"] -test = ["pytest", "pytest-cov"] +test = ["pytest (<5.4)", "pytest-cov"] [package.source] type = "legacy" @@ -2323,6 +2375,19 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "pbr" +version = "5.5.1" +description = "Python Build Reasonableness" +category = "dev" +optional = false +python-versions = ">=2.6" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "pep440-version-utils" version = "0.3.0" @@ -3486,6 +3551,19 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "smmap" +version = "3.0.4" +description = "A pure Python implementation of a sliding window memory map manager" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "sniffio" version = "1.2.0" @@ -3605,6 +3683,23 @@ type = "legacy" url = "https://pypi.rasa.com/simple" reference = "rasa-pypi" +[[package]] +name = "stevedore" +version = "3.3.0" +description = "Manage dynamic plugins for Python applications" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +importlib-metadata = {version = ">=1.7.0", markers = "python_version < \"3.8\""} +pbr = ">=2.0.0,<2.1.0 || >2.1.0" + +[package.source] +type = "legacy" +url = "https://pypi.rasa.com/simple" +reference = "rasa-pypi" + [[package]] name = "tabulate" version = "0.8.7" @@ -4290,7 +4385,7 @@ transformers = ["transformers"] [metadata] lock-version = "1.1" python-versions = ">=3.6,<3.9" -content-hash = "5097c2ab2af900b784bbc7ada969aaaac56d37f4f551e9bde01ab3e5ed5c2ac0" +content-hash = "fb934bbdd535eaa22c031212716ae5b1ba073ddbcfdfca21f1a23e04178e9e1d" [metadata.files] absl-py = [ @@ -4377,6 +4472,10 @@ azure-storage-blob = [ {file = "azure-storage-blob-12.5.0.zip", hash = "sha256:1469a5a0410296fb5ff96c326618d939c9cb0c0ea45eb931c89c98fa742d8daa"}, {file = "azure_storage_blob-12.5.0-py2.py3-none-any.whl", hash = "sha256:6f2de5b60f16141731b7561c218a8455053bcdb9b3775a0e5364fb2b041bcf1e"}, ] +bandit = [ + {file = "bandit-1.6.3-py2.py3-none-any.whl", hash = "sha256:2ff3fe35fe3212c0be5fc9c4899bd0108e2b5239c5ff62fb174639e4660fe958"}, + {file = "bandit-1.6.3.tar.gz", hash = "sha256:d02dfe250f4aa2d166c127ad81d192579e2bfcdb8501717c0e2005e35a6bcf60"}, +] black = [ {file = "black-19.10b0-py36-none-any.whl", hash = "sha256:1b30e59be925fafc1ee4565e5e08abef6b03fe455102883820fe5ee2e4734e0b"}, {file = "black-19.10b0.tar.gz", hash = "sha256:c2edb73a08e9e0e6f65a0e6af18b059b8b1cdd5bef997d7a0b181df93dc81539"}, @@ -4404,12 +4503,11 @@ boto = [ {file = "boto-2.49.0.tar.gz", hash = "sha256:ea0d3b40a2d852767be77ca343b58a9e3a4b00d9db440efb8da74b4e58025e5a"}, ] boto3 = [ - {file = "boto3-1.16.30-py2.py3-none-any.whl", hash = "sha256:163ab6f9030ade265af9b36a10e608f12911cb5f3557e8e3390dffeba919262e"}, - {file = "boto3-1.16.30.tar.gz", hash = "sha256:848aa8d11c9927daa13512072a501e2fc70ba86b073fc6927b86466f4a459b4d"}, + {file = "boto3-1.16.33.tar.gz", hash = "sha256:0aba88dadc9ae5d103c6d8de7ac88df67b3b0198da82346993b0c52b7477a5dd"}, ] botocore = [ - {file = "botocore-1.19.30-py2.py3-none-any.whl", hash = "sha256:70a8ec8d76096927b619a2f1f0dffe326fc9a4f9224afc6cf5d7ef2fd98a94a2"}, - {file = "botocore-1.19.30.tar.gz", hash = "sha256:822f9dd11f11c54b9c4666cfec9b7246a32990dbca1be27528a75a8dabed4dc2"}, + {file = "botocore-1.19.33-py2.py3-none-any.whl", hash = "sha256:0f5f316ae1b089da3efac85524345954fa54e6e682ed60579f8c95c0d5aee3c4"}, + {file = "botocore-1.19.33.tar.gz", hash = "sha256:3c741da411e117a08545877790e01b94c804cfb85b1981e40378cb8594af5406"}, ] cachetools = [ {file = "cachetools-4.1.1-py3-none-any.whl", hash = "sha256:513d4ff98dd27f85743a8dc0e92f55ddb1b49e060c2d5961512855cda2c01a98"}, @@ -4445,11 +4543,13 @@ cffi = [ {file = "cffi-1.14.4-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb"}, {file = "cffi-1.14.4-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d"}, {file = "cffi-1.14.4-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03"}, + {file = "cffi-1.14.4-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01"}, {file = "cffi-1.14.4-cp37-cp37m-win32.whl", hash = "sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e"}, {file = "cffi-1.14.4-cp37-cp37m-win_amd64.whl", hash = "sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35"}, {file = "cffi-1.14.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d"}, {file = "cffi-1.14.4-cp38-cp38-manylinux1_i686.whl", hash = "sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b"}, {file = "cffi-1.14.4-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53"}, + {file = "cffi-1.14.4-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e"}, {file = "cffi-1.14.4-cp38-cp38-win32.whl", hash = "sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d"}, {file = "cffi-1.14.4-cp38-cp38-win_amd64.whl", hash = "sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375"}, {file = "cffi-1.14.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909"}, @@ -4483,8 +4583,8 @@ colorclass = [ {file = "colorclass-2.2.0.tar.gz", hash = "sha256:b05c2a348dfc1aff2d502527d78a5b7b7e2f85da94a96c5081210d8e9ee8e18b"}, ] coloredlogs = [ - {file = "coloredlogs-14.0-py2.py3-none-any.whl", hash = "sha256:346f58aad6afd48444c2468618623638dadab76e4e70d5e10822676f2d32226a"}, - {file = "coloredlogs-14.0.tar.gz", hash = "sha256:a1fab193d2053aa6c0a97608c4342d031f1f93a3d1218432c59322441d31a505"}, + {file = "coloredlogs-14.2-py2.py3-none-any.whl", hash = "sha256:4d31b0c9df42d09b24eedcecbbef39c1778c931e1b6f8a275895589d64d22c82"}, + {file = "coloredlogs-14.2.tar.gz", hash = "sha256:ac35144b5c39699318fdea8afdf3ca3308f274759af56a479e6d657b1850e246"}, ] colorhash = [ {file = "colorhash-1.0.3-py3-none-any.whl", hash = "sha256:7a1f459e96ed62cab441ce8bb7668bc1912c0cbc989e2b43fae4161396917044"}, @@ -4534,28 +4634,20 @@ coveralls = [ {file = "coveralls-2.2.0.tar.gz", hash = "sha256:b990ba1f7bc4288e63340be0433698c1efe8217f78c689d254c2540af3d38617"}, ] cryptography = [ - {file = "cryptography-3.2.1-cp27-cp27m-macosx_10_10_x86_64.whl", hash = "sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7"}, - {file = "cryptography-3.2.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:75e8e6684cf0034f6bf2a97095cb95f81537b12b36a8fedf06e73050bb171c2d"}, - {file = "cryptography-3.2.1-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:4e7268a0ca14536fecfdf2b00297d4e407da904718658c1ff1961c713f90fd33"}, - {file = "cryptography-3.2.1-cp27-cp27m-win32.whl", hash = "sha256:7117319b44ed1842c617d0a452383a5a052ec6aa726dfbaffa8b94c910444297"}, - {file = "cryptography-3.2.1-cp27-cp27m-win_amd64.whl", hash = "sha256:a733671100cd26d816eed39507e585c156e4498293a907029969234e5e634bc4"}, - {file = "cryptography-3.2.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:a75f306a16d9f9afebfbedc41c8c2351d8e61e818ba6b4c40815e2b5740bb6b8"}, - {file = "cryptography-3.2.1-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:5849d59358547bf789ee7e0d7a9036b2d29e9a4ddf1ce5e06bb45634f995c53e"}, - {file = "cryptography-3.2.1-cp35-abi3-macosx_10_10_x86_64.whl", hash = "sha256:bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b"}, - {file = "cryptography-3.2.1-cp35-abi3-manylinux1_x86_64.whl", hash = "sha256:efe15aca4f64f3a7ea0c09c87826490e50ed166ce67368a68f315ea0807a20df"}, - {file = "cryptography-3.2.1-cp35-abi3-manylinux2010_x86_64.whl", hash = "sha256:32434673d8505b42c0de4de86da8c1620651abd24afe91ae0335597683ed1b77"}, - {file = "cryptography-3.2.1-cp35-abi3-manylinux2014_aarch64.whl", hash = "sha256:7b8d9d8d3a9bd240f453342981f765346c87ade811519f98664519696f8e6ab7"}, - {file = "cryptography-3.2.1-cp35-cp35m-win32.whl", hash = "sha256:d3545829ab42a66b84a9aaabf216a4dce7f16dbc76eb69be5c302ed6b8f4a29b"}, - {file = "cryptography-3.2.1-cp35-cp35m-win_amd64.whl", hash = "sha256:a4e27ed0b2504195f855b52052eadcc9795c59909c9d84314c5408687f933fc7"}, - {file = "cryptography-3.2.1-cp36-abi3-win32.whl", hash = "sha256:13b88a0bd044b4eae1ef40e265d006e34dbcde0c2f1e15eb9896501b2d8f6c6f"}, - {file = "cryptography-3.2.1-cp36-abi3-win_amd64.whl", hash = "sha256:07ca431b788249af92764e3be9a488aa1d39a0bc3be313d826bbec690417e538"}, - {file = "cryptography-3.2.1-cp36-cp36m-win32.whl", hash = "sha256:a035a10686532b0587d58a606004aa20ad895c60c4d029afa245802347fab57b"}, - {file = "cryptography-3.2.1-cp36-cp36m-win_amd64.whl", hash = "sha256:d26a2557d8f9122f9bf445fc7034242f4375bd4e95ecda007667540270965b13"}, - {file = "cryptography-3.2.1-cp37-cp37m-win32.whl", hash = "sha256:545a8550782dda68f8cdc75a6e3bf252017aa8f75f19f5a9ca940772fc0cb56e"}, - {file = "cryptography-3.2.1-cp37-cp37m-win_amd64.whl", hash = "sha256:55d0b896631412b6f0c7de56e12eb3e261ac347fbaa5d5e705291a9016e5f8cb"}, - {file = "cryptography-3.2.1-cp38-cp38-win32.whl", hash = "sha256:3cd75a683b15576cfc822c7c5742b3276e50b21a06672dc3a800a2d5da4ecd1b"}, - {file = "cryptography-3.2.1-cp38-cp38-win_amd64.whl", hash = "sha256:d25cecbac20713a7c3bc544372d42d8eafa89799f492a43b79e1dfd650484851"}, - {file = "cryptography-3.2.1.tar.gz", hash = "sha256:d3d5e10be0cf2a12214ddee45c6bd203dab435e3d83b4560c03066eda600bfe3"}, + {file = "cryptography-3.3.1-cp27-cp27m-macosx_10_10_x86_64.whl", hash = "sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030"}, + {file = "cryptography-3.3.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0"}, + {file = "cryptography-3.3.1-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812"}, + {file = "cryptography-3.3.1-cp27-cp27m-win32.whl", hash = "sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e"}, + {file = "cryptography-3.3.1-cp27-cp27m-win_amd64.whl", hash = "sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901"}, + {file = "cryptography-3.3.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d"}, + {file = "cryptography-3.3.1-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5"}, + {file = "cryptography-3.3.1-cp36-abi3-macosx_10_10_x86_64.whl", hash = "sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302"}, + {file = "cryptography-3.3.1-cp36-abi3-manylinux1_x86_64.whl", hash = "sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244"}, + {file = "cryptography-3.3.1-cp36-abi3-manylinux2010_x86_64.whl", hash = "sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c"}, + {file = "cryptography-3.3.1-cp36-abi3-manylinux2014_aarch64.whl", hash = "sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c"}, + {file = "cryptography-3.3.1-cp36-abi3-win32.whl", hash = "sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a"}, + {file = "cryptography-3.3.1-cp36-abi3-win_amd64.whl", hash = "sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7"}, + {file = "cryptography-3.3.1.tar.gz", hash = "sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6"}, ] cycler = [ {file = "cycler-0.10.0-py2.py3-none-any.whl", hash = "sha256:1d8a5ae1ff6c5cf9b93e8811e581232ad8920aeec647c37316ceac982b08cb2d"}, @@ -4660,10 +4752,18 @@ gast = [ {file = "gast-0.3.3-py2.py3-none-any.whl", hash = "sha256:8f46f5be57ae6889a4e16e2ca113b1703ef17f2b0abceb83793eaba9e1351a45"}, {file = "gast-0.3.3.tar.gz", hash = "sha256:b881ef288a49aa81440d2c5eb8aeefd4c2bb8993d5f50edae7413a85bfdb3b57"}, ] +gitdb = [ + {file = "gitdb-4.0.5-py3-none-any.whl", hash = "sha256:91f36bfb1ab7949b3b40e23736db18231bf7593edada2ba5c3a174a7b23657ac"}, + {file = "gitdb-4.0.5.tar.gz", hash = "sha256:c9e1f2d0db7ddb9a704c2a0217be31214e91a4fe1dea1efad19ae42ba0c285c9"}, +] "github3.py" = [ {file = "github3.py-1.3.0-py2.py3-none-any.whl", hash = "sha256:50833b5da35546b8cced0e8d7ff4c50a9afc2c8e46cc4d07dc4b66d26467c708"}, {file = "github3.py-1.3.0.tar.gz", hash = "sha256:15a115c18f7bfcf934dfef7ab103844eb9f620c586bad65967708926da47cbda"}, ] +gitpython = [ + {file = "GitPython-3.1.11-py3-none-any.whl", hash = "sha256:6eea89b655917b500437e9668e4a12eabdcf00229a0df1762aabd692ef9b746b"}, + {file = "GitPython-3.1.11.tar.gz", hash = "sha256:befa4d101f91bad1b632df4308ec64555db684c360bd7d2130b4807d49ce86b8"}, +] google-api-core = [ {file = "google-api-core-1.23.0.tar.gz", hash = "sha256:1bb3c485c38eacded8d685b1759968f6cf47dd9432922d34edb90359eaa391e2"}, {file = "google_api_core-1.23.0-py2.py3-none-any.whl", hash = "sha256:94d8c707d358d8d9e8b0045c42be20efb58433d308bd92cf748511c7825569c8"}, @@ -4835,8 +4935,8 @@ httpx = [ {file = "httpx-0.11.1.tar.gz", hash = "sha256:7d2bfb726eeed717953d15dddb22da9c2fcf48a4d70ba1456aa0a7faeda33cf7"}, ] humanfriendly = [ - {file = "humanfriendly-9.0-py2.py3-none-any.whl", hash = "sha256:3c9ab8d28e88e6cc998e41963357736dafd555ee5bb666b50e42f6ce28dd3e3d"}, - {file = "humanfriendly-9.0.tar.gz", hash = "sha256:175ffa628aa76da2c17369a5da5856084562cc66dfe7f82ae93ca3ef175277a6"}, + {file = "humanfriendly-9.1-py2.py3-none-any.whl", hash = "sha256:d5c731705114b9ad673754f3317d9fa4c23212f36b29bdc4272a892eafc9bc72"}, + {file = "humanfriendly-9.1.tar.gz", hash = "sha256:066562956639ab21ff2676d1fda0b5987e985c534fc76700a19bd54bcb81121d"}, ] hyperframe = [ {file = "hyperframe-5.2.0-py2.py3-none-any.whl", hash = "sha256:5187962cb16dcc078f23cb5a4b110098d546c3f41ff2d4038a9896893bbd0b40"}, @@ -5040,8 +5140,8 @@ mccabe = [ {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"}, ] mock = [ - {file = "mock-4.0.2-py3-none-any.whl", hash = "sha256:3f9b2c0196c60d21838f307f5825a7b86b678cedc58ab9e50a8988187b4d81e0"}, - {file = "mock-4.0.2.tar.gz", hash = "sha256:dd33eb70232b6118298d516bbcecd26704689c386594f0f3c4f13867b2c56f72"}, + {file = "mock-4.0.3-py3-none-any.whl", hash = "sha256:122fcb64ee37cfad5b3f48d7a7d51875d7031aaf3d8be7c42e2bee25044eee62"}, + {file = "mock-4.0.3.tar.gz", hash = "sha256:7d3fbbde18228f4ff2f1f119a45cdffa458b4c0dee32eb4d2bb2f82554bac7bc"}, ] mongomock = [ {file = "mongomock-3.21.0-py2.py3-none-any.whl", hash = "sha256:0a5d273c46c8bebf1241146d9f4fa3c95f6f0bdddae4e1d8be922340918b972b"}, @@ -5214,6 +5314,10 @@ pathspec = [ pathtools = [ {file = "pathtools-0.1.2.tar.gz", hash = "sha256:7c35c5421a39bb82e58018febd90e3b6e5db34c5443aaaf742b3f33d4655f1c0"}, ] +pbr = [ + {file = "pbr-5.5.1-py2.py3-none-any.whl", hash = "sha256:b236cde0ac9a6aedd5e3c34517b423cd4fd97ef723849da6b0d2231142d89c00"}, + {file = "pbr-5.5.1.tar.gz", hash = "sha256:5fad80b613c402d5b7df7bd84812548b2a61e9977387a80a5fc5c396492b13c9"}, +] pep440-version-utils = [ {file = "pep440-version-utils-0.3.0.tar.gz", hash = "sha256:ceb8c8da63b54cc555946d91829f72fe323f8d635b22fa54ef0a9800c37f50df"}, {file = "pep440_version_utils-0.3.0-py3-none-any.whl", hash = "sha256:73780b2c31adad5ca35c89eb008f51c2a47aee0318debe31391b673b90577e1b"}, @@ -5783,6 +5887,10 @@ slackclient = [ {file = "slackclient-2.9.3-py2.py3-none-any.whl", hash = "sha256:2d68d668c02f4038299897e5c4723ab85dd40a3548354924b24f333a435856f8"}, {file = "slackclient-2.9.3.tar.gz", hash = "sha256:07ec8fa76f6aa64852210ae235ff9e637ba78124e06c0b07a7eeea4abb955965"}, ] +smmap = [ + {file = "smmap-3.0.4-py2.py3-none-any.whl", hash = "sha256:54c44c197c819d5ef1991799a7e30b662d1e520f2ac75c9efbeb54a742214cf4"}, + {file = "smmap-3.0.4.tar.gz", hash = "sha256:9c98bbd1f9786d22f14b3d4126894d56befb835ec90cef151af566c7e19b5d24"}, +] sniffio = [ {file = "sniffio-1.2.0-py3-none-any.whl", hash = "sha256:471b71698eac1c2112a40ce2752bb2f4a4814c22a54a3eed3676bc0f5ca9f663"}, {file = "sniffio-1.2.0.tar.gz", hash = "sha256:c4666eecec1d3f50960c6bdf61ab7bc350648da6c126e3cf6898d8cd4ddcd3de"}, @@ -5862,6 +5970,10 @@ srsly = [ {file = "srsly-1.0.5-cp39-cp39-win_amd64.whl", hash = "sha256:334f29435099e644a8047b63d60b8386a98b5f7b4739f7efc86b46ca0200aa0e"}, {file = "srsly-1.0.5.tar.gz", hash = "sha256:d3dd796372367c71946d0cd6f734e49db3d99dd13a57bdac937d9eb62689fc9e"}, ] +stevedore = [ + {file = "stevedore-3.3.0-py3-none-any.whl", hash = "sha256:50d7b78fbaf0d04cd62411188fa7eedcb03eb7f4c4b37005615ceebe582aa82a"}, + {file = "stevedore-3.3.0.tar.gz", hash = "sha256:3a5bbd0652bf552748871eaa73a4a8dc2899786bc497a2aa1fcb4dcdb0debeee"}, +] tabulate = [ {file = "tabulate-0.8.7-py3-none-any.whl", hash = "sha256:ac64cb76d53b1231d364babcd72abbb16855adac7de6665122f97b593f1eb2ba"}, {file = "tabulate-0.8.7.tar.gz", hash = "sha256:db2723a20d04bcda8522165c73eea7c300eda74e0ce852d9022e0159d7895007"}, diff --git a/pyproject.toml b/pyproject.toml index 292ce6309474..61b4ea5b2bce 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -153,6 +153,7 @@ pep440-version-utils = "^0.3.0" pydoc-markdown = "^3.5.0" pytest-timeout = "^1.4.2" mypy = "^0.790" +bandit = "^1.6.3" [tool.poetry.extras] spacy = [ "spacy",] diff --git a/rasa/core/tracker_store.py b/rasa/core/tracker_store.py index a556a67c3237..277471f5df5c 100644 --- a/rasa/core/tracker_store.py +++ b/rasa/core/tracker_store.py @@ -935,7 +935,7 @@ def _create_database(engine: "Engine", db: Text): cursor = conn.connection.cursor() cursor.execute("COMMIT") - cursor.execute(f"SELECT 1 FROM pg_catalog.pg_database WHERE datname = '{db}'") + cursor.execute("SELECT 1 FROM pg_catalog.pg_database WHERE datname = ?", (db,)) exists = cursor.fetchone() if not exists: try: diff --git a/rasa/core/utils.py b/rasa/core/utils.py index 64022ff9014b..7d2a5879336c 100644 --- a/rasa/core/utils.py +++ b/rasa/core/utils.py @@ -124,12 +124,14 @@ def __init__(self, wrapped, tight=False) -> None: self.__tight = tight self.__wrapped = np.array(wrapped) if tight else wrapped - self.__hash = int(sha1(wrapped.view()).hexdigest(), 16) + self.__hash = int(sha1(wrapped.view()).hexdigest(), 16) # nosec def __eq__(self, other) -> bool: + """Performs equality of the underlying array.""" return np.all(self.__wrapped == other.__wrapped) def __hash__(self) -> int: + """Return the hash of the array.""" return self.__hash def unwrap(self) -> np.ndarray: @@ -266,7 +268,7 @@ def convert_bytes_to_string(data: Union[bytes, bytearray, Text]) -> Text: def get_file_hash(path: Text) -> Text: """Calculate the md5 hash of a file.""" - return md5(file_as_bytes(path)).hexdigest() + return md5(file_as_bytes(path)).hexdigest() # nosec async def download_file_from_url(url: Text) -> Text: diff --git a/rasa/shared/utils/io.py b/rasa/shared/utils/io.py index 6f14542e11ea..008b5dc068a1 100644 --- a/rasa/shared/utils/io.py +++ b/rasa/shared/utils/io.py @@ -265,10 +265,20 @@ def get_list_fingerprint( def get_text_hash(text: Text, encoding: Text = DEFAULT_ENCODING) -> Text: """Calculate the md5 hash for a text.""" - return md5(text.encode(encoding)).hexdigest() + return md5(text.encode(encoding)).hexdigest() # nosec def json_to_string(obj: Any, **kwargs: Any) -> Text: + """Dumps a JSON-serializable object to string. + + Args: + obj: JSON-serializable object. + kwargs: serialization options. Defaults to 2 space indentation + and disable escaping of non-ASCII characters. + + Returns: + The objects serialized to JSON, as a string. + """ indent = kwargs.pop("indent", 2) ensure_ascii = kwargs.pop("ensure_ascii", False) return json.dumps(obj, indent=indent, ensure_ascii=ensure_ascii, **kwargs)