Enable most bandit checks

Ignore two rules with production code changes, for now.

emails/models.py

@@ -591,7 +591,11 @@ def address_hash(address, subdomain=None, domain=None):
 
 
 def address_default():
-    return "".join(random.choices(string.ascii_lowercase + string.digits, k=9))
+    return "".join(
+        random.choices(  # noqa: S311 (standard pseudo-random generator used)
+            string.ascii_lowercase + string.digits, k=9
+        )
+    )
 
 
 def has_bad_words(value) -> bool:

emails/sns.py

@@ -97,7 +97,7 @@ def _grab_keyfile(cert_url):
 
     pemfile = key_cache.get(cert_url)
     if not pemfile:
-        response = urlopen(cert_url)
+        response = urlopen(cert_url)  # noqa: S310 (check for custom scheme)
         pemfile = response.read()
         # Extract the first certificate in the file and confirm it's a valid
         # PEM certificate

emails/templatetags/email_extras.py

@@ -50,4 +50,4 @@ def convert_fsi_to_span(text: str | SafeString, autoescape=True) -> str | SafeSt
         )
     else:
         result = f'{pre_fsi}<span dir="auto">{middle}</span>{post_pdi}'
-    return mark_safe(result)
+    return mark_safe(result)  # noqa: S308 (use of mark_safe)

privaterelay/allauth.py

@@ -40,7 +40,7 @@ class AccountAdapter(DefaultAccountAdapter):
         # Is this a known frontend path?
         try:
             middleware = RelayStaticFilesMiddleware()
-        except Exception:
+        except Exception:  # noqa: S110 (exception pass without log)
             # Staticfiles are not available
             pass
         else:

privaterelay/settings.py

@@ -485,7 +485,7 @@ elif RELAY_CHANNEL == "local":
 # https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators
 # only needed when admin UI is enabled
 if ADMIN_ENABLED:
-    _DJANGO_PWD_VALIDATION = "django.contrib.auth.password_validation"
+    _DJANGO_PWD_VALIDATION = "django.contrib.auth.password_validation"  # noqa: E501, S105 (long line, possible password)
     AUTH_PASSWORD_VALIDATORS = [
         {"NAME": _DJANGO_PWD_VALIDATION + ".UserAttributeSimilarityValidator"},
         {"NAME": _DJANGO_PWD_VALIDATION + ".MinimumLengthValidator"},

privaterelay/utils.py

@@ -477,7 +477,7 @@ def flag_is_active_in_task(flag_name: str, user: AbstractBaseUser | None) -> boo
         # Removed - check for cookie setting for flag
         # Removed - check for read-only mode
 
-        if Decimal(str(random.uniform(0, 100))) <= flag.percent:
+        if Decimal(str(random.uniform(0, 100))) <= flag.percent:  # noqa: S311
             # Removed - setting the flag for future checks
             return True
 

pyproject.toml

@@ -80,7 +80,13 @@ testpaths = [
 ]
 
 [tool.ruff.lint]
+ignore = [
+    # TODO MPP-3802: Enable more bandit security checks
+    "S101",  # https://docs.astral.sh/ruff/rules/assert/
+    "S113",  # https://docs.astral.sh/ruff/rules/request-without-timeout/
+]
 select = [
+    "S",  # flake8-bandit
     "E",  # pycodestyle errors
     "F",  # pyflakes
     "I",  # isort
@@ -105,3 +111,8 @@ section-order = ["future", "standard-library", "django", "third-party", "first-p
 [tool.ruff.lint.per-file-ignores]
 # Ignore line length in generated file
 "privaterelay/glean/server_events.py" = ["E501"]
+# S101: Allow assert in tests, since it is correct usage for pytest
+# S105: Allow hardcoded passwords in tests
+# S311: Allow pseudo-random generators in tests
+"**/tests/*_tests.py" = ["S101", "S105", "S311"]
+"**/tests/utils.py" = ["S101", "S311"]