From ee13e53614239572647e1ee0d4bba7dca1a860a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Beraud?= <hberaud@redhat.com>
Date: Fri, 10 Mar 2023 10:52:52 +0100
Subject: [PATCH] Bump bandit and make oslo.messaging compatible with latest
 rules

- Apply a timeout to requests calls to avoid uncontrolled
  resource consumption (CWE-400) [1].
- Ignore CWE 377

[1] https://cwe.mitre.org/data/definitions/400.html
[2] https://cwe.mitre.org/data/definitions/377.html

Change-Id: Ic558ad392424a25b5fd9a10749163d8427159eda
---
 oslo_messaging/_metrics/client.py                  | 3 ++-
 oslo_messaging/tests/functional/test_functional.py | 2 +-
 test-requirements.txt                              | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/oslo_messaging/_metrics/client.py b/oslo_messaging/_metrics/client.py
index 46916a150..513ce5a3d 100644
--- a/oslo_messaging/_metrics/client.py
+++ b/oslo_messaging/_metrics/client.py
@@ -39,13 +39,14 @@ else:
     # we will facing an issue by trying to override the threading module.
     stdlib_threading = threading
 
+
 oslo_messaging_metrics = [
     cfg.BoolOpt('metrics_enabled', default=False,
                 help='Boolean to send rpc metrics to oslo.metrics.'),
     cfg.IntOpt('metrics_buffer_size', default=1000,
                help='Buffer size to store in oslo.messaging.'),
     cfg.StrOpt('metrics_socket_file',
-               default='/var/tmp/metrics_collector.sock',
+               default='/var/tmp/metrics_collector.sock',  # nosec
                help='Unix domain socket file to be used'
                     ' to send rpc related metrics'),
     cfg.StrOpt('metrics_process_name',
diff --git a/oslo_messaging/tests/functional/test_functional.py b/oslo_messaging/tests/functional/test_functional.py
index 3c503ff6a..cb7713c13 100644
--- a/oslo_messaging/tests/functional/test_functional.py
+++ b/oslo_messaging/tests/functional/test_functional.py
@@ -590,7 +590,7 @@ class MetricsTestCase(utils.SkipIfNoTransportURL):
         client = group.client(1)
         client.add(increment=1)
         time.sleep(1)
-        r = requests.get('http://localhost:3000')
+        r = requests.get('http://localhost:3000', timeout=10)
         for line in r.text.split('\n'):
             if 'client_invocation_start_total{' in line:
                 self.assertEqual('1.0', line[-3:])
diff --git a/test-requirements.txt b/test-requirements.txt
index 3a7c44fc7..daf742613 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -26,7 +26,7 @@ coverage!=4.4,>=4.0 # Apache-2.0
 pyngus>=2.2.0 # Apache-2.0
 
 # Bandit security code scanner
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 
 eventlet>=0.23.0 # MIT
 greenlet>=0.4.15 # MIT