Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix MPP-3802: stop ignoring bandit security checks #4684

Merged
merged 4 commits into from
May 9, 2024
Merged

fix MPP-3802: stop ignoring bandit security checks #4684

merged 4 commits into from
May 9, 2024

Conversation

groovecoder
Copy link
Member

@groovecoder groovecoder commented May 7, 2024
edited
Loading

This PR fixes #MPP-3802.

How to test:

  1. pytest
  2. ruff check .
  • l10n changes have been submitted to the l10n repository, if any.
  • I've added a unit test to test for potential regressions of this bug.
  • I've added or updated relevant docs in the docs/ directory.
  • All UI revisions follow the coding standards, and use Protocol tokens where applicable (see /frontend/src/styles/tokens.scss).
  • Commits in this PR are minimal and have descriptive commit messages.

@groovecoder groovecoder force-pushed the enable-flak8-bandit-checks-mpp-3802 branch 4 times, most recently from 7f9a71f to 63af71b Compare May 8, 2024 15:22
@groovecoder groovecoder force-pushed the enable-flak8-bandit-checks-mpp-3802 branch from 63af71b to c6a71b5 Compare May 8, 2024 16:25
@groovecoder groovecoder marked this pull request as ready for review May 8, 2024 18:40
jwhitlock
jwhitlock requested changes May 8, 2024
View reviewed changes
Copy link
Member

@jwhitlock jwhitlock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @groovecoder! Only required change from me is creating a setting for the FxA profile timeout that can be configured via the environment.

api/authentication.py Outdated Show resolved Hide resolved
api/exceptions.py Show resolved Hide resolved
api/views/privaterelay.py Outdated Show resolved Hide resolved
emails/utils.py Show resolved Hide resolved
privaterelay/apps.py Outdated Show resolved Hide resolved
privaterelay/plans.py
@@ -557,15 +557,18 @@ def _cached_country_language_mapping(

mapping: PlanCountryLangMapping = {}
for relay_country in relay_maps.get("by_country", []):
assert relay_country not in mapping
if relay_country in mapping:
raise ValueError("relay_country should not be in mapping.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: these will be harder to debug, since we won't know which relay_county was already in the mapping. However, we can expand the error message when we get to that point, instead of making every ValueError include the value.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was the change that made me wonder: should I go back thru this whole PR and include the value in every ValueError message while I'm in here? I don't mind doing that now rather than later.

privaterelay/settings.py Outdated Show resolved Hide resolved
pyproject.toml Show resolved Hide resolved
@groovecoder groovecoder changed the title for MPP-3802: add timeouts to requests fix MPP-3802: stop ignoring bandit security checks May 8, 2024
@groovecoder
Copy link
Member Author

Made updates, but @jwhitlock if you think I should go ahead and include values in ValueError messages, let me know and I'll add that while I'm in this code- and head-space.

jwhitlock
jwhitlock approved these changes May 9, 2024
View reviewed changes
Copy link
Member

@jwhitlock jwhitlock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @groovecoder!

No, I think we're OK without the detailed messages. If one of these fires in production, we'll add 1) a test to trigger the exception and 2) more information to exception message. 95% should never need it.

@groovecoder groovecoder added this pull request to the merge queue May 9, 2024
Merged via the queue into main with commit 9204b4f May 9, 2024
28 checks passed
@groovecoder groovecoder deleted the enable-flak8-bandit-checks-mpp-3802 branch May 9, 2024 18:31
@sentry-io Sentry.io
Copy link

sentry-io bot commented May 10, 2024
edited
Loading

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

  • ‼️ IntegrityError: duplicate key value violates unique constraint "emails_domainaddress_user_id_address_53342f1e_uniq" /api/v1/domainaddresses/ View Issue
  • ‼️ SystemExit: 1 /api/v1/terms-accepted-user/ View Issue
  • ‼️ SystemExit: 1 /fxa-rp-events View Issue
  • ‼️ SystemExit: 1 /api/v1/relayaddresses/ View Issue
  • ‼️ OperationalError: the connection is closed /api/v1/relayaddresses/ View Issue

Did you find this useful? React with a 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@say-yawn say-yawn say-yawn left review comments

@jwhitlock jwhitlock jwhitlock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@groovecoder @jwhitlock @say-yawn