From 86b54950d88e44efa2b2502a9447f78fbd18840d Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Thu, 24 Oct 2024 13:51:09 -0500 Subject: [PATCH] silence new bandit warning Test results: >> Issue: [B507:ssh_no_host_key_verification] Paramiko call with policy set to automatically trust the unknown host key. Severity: High Confidence: Medium CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b507_ssh_no_host_key_verification.html Location: ./st2common/st2common/runners/paramiko_ssh.py:781:8 780 client = paramiko.SSHClient() 781 client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 782 -------------------------------------------------- Code scanned: Total lines of code: 21204 Total lines skipped (#nosec): 0 Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0 Run metrics: Total issues (by severity): Undefined: 0 Low: 15 Medium: 13 High: 1 Total issues (by confidence): Undefined: 0 Low: 3 Medium: 13 High: 13 Files skipped (0): --- st2common/st2common/runners/paramiko_ssh.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/st2common/st2common/runners/paramiko_ssh.py b/st2common/st2common/runners/paramiko_ssh.py index 7530a532d9..df1c492e89 100644 --- a/st2common/st2common/runners/paramiko_ssh.py +++ b/st2common/st2common/runners/paramiko_ssh.py @@ -778,7 +778,8 @@ def _connect(self, host, socket=None): conninfo["sock"] = socket client = paramiko.SSHClient() - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + # FIXME: Allow the admin or end user control the host key policy + client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # nosec extra = {"_conninfo": conninfo} self.logger.debug("Connection info", extra=extra)