Bump bandit and make oslo.middleware compatible with latest rules

Apply a timeout to requests calls to avoid uncontrolled resource consumption (CWE-400) [1]. However we should notice bandit didn't warned here. It didn't detected the request without the configured timeout. [1] https://cwe.mitre.org/data/definitions/400.html Change-Id: I6a4701592e0b245b798fbe916f78a5e8114e92ef
2023-03-10 10:58:36 +01:00 · 2023-03-10 10:58:36 +01:00 · 170e35a5b9
parent 05be604d8b
commit 170e35a5b9
2 changed files with 2 additions and 2 deletions
--- a/oslo_middleware/tests/test_healthcheck.py
+++ b/oslo_middleware/tests/test_healthcheck.py
@ -41,7 +41,7 @@ class HealthcheckMainTests(test_base.BaseTestCase):
                # The operating system will return WSAEADDRNOTAVAIL which
                # in turn will throw a requests.ConnectionError
                r = requests.get("http://127.0.0.1:%s" % (
-                    server.server_address[1]))
+                    server.server_address[1]), timeout=10)
            except requests.ConnectionError:
                # Server hasn't started up yet, try again in a few.
                time.sleep(1)
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -9,7 +9,7 @@ testtools>=2.2.0 # MIT
 coverage!=4.4,>=4.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 # Bandit security code scanner
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 stestr>=2.0.0 # Apache-2.0

 pre-commit>=2.6.0 # MIT