Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
39,376 Commits 28 Branches 142 Tags 698 MiB
Commit Graph

21 Commits

Author SHA1 Message Date
Anders Kaseorg b7b7475672 python: Use standard secrets module to generate random tokens. 
There are three functional side effects:

• Correct an insignificant but mathematically offensive bias toward
repeated characters in generate_api_key introduced in commit
47b4283c4b4c70ecde4d3c8de871c90ee2506d87; its entropy is increased
from 190.52864 bits to 190.53428 bits.

• Use the base32 alphabet in confirmation.models.generate_key; its
entropy is reduced from 124.07820 bits to the documented 120 bits, but
now it uses 1 syscall instead of 24.

• Use the base32 alphabet in get_bigbluebutton_url; its entropy is
reduced from 51.69925 bits to 50 bits, but now it uses 1 syscall
instead of 10.

(The base32 alphabet is A-Z 2-7.  We could probably replace all of
these with plain secrets.token_urlsafe, since I expect most callers
can handle the full urlsafe_b64 alphabet A-Z a-z 0-9 - _ without
problems.)

Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-09-09 15:52:57 -07:00
Anders Kaseorg 2794bc1ef4 lint: Reformat YAML files with Prettier. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-07-14 16:25:31 -07:00
Anders Kaseorg f364414cb9 install-semgrep: Upgrade semgrep to 0.14.0. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-07-14 00:42:07 -07:00
Anders Kaseorg 4a88e2a732 semgrep: Ban eval. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-26 12:35:40 -07:00
Anders Kaseorg 48719cb8c4 message_send: Avoid unchecked cast. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-23 13:30:09 -07:00
Anders Kaseorg cf6981eef0 lint: Remove other rules about percent formatting. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-15 16:24:46 -07:00
Anders Kaseorg f364d06fb5 python: Convert percent formatting to .format for translated strings. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-15 16:24:46 -07:00
Anders Kaseorg 769e198ab0 lint: Prohibit percent formatting on literal format strings. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-14 23:27:22 -07:00
Anders Kaseorg 1ed2d9b4a0 logging: Use logging.exception and exc_info for unexpected exceptions. 
logging.exception() and logging.debug(exc_info=True),
etc. automatically include a traceback.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-14 23:27:22 -07:00
Anders Kaseorg 674158b817 migrations: Escape more pedantically in pgroonga.0003_v2_api_upgrade. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-13 21:50:37 -07:00
Anders Kaseorg 0cc897d08d migrations: Escape more pedantically in pgroonga.0001_enable. 
The psycopg2.SQL API unfortunately doesn’t work with
django.db.migrations.RunSQL, so we need to take a detour into
PL/pgSQL for EXECUTE and format.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-13 21:50:37 -07:00
Anders Kaseorg 0d6c771baf python: Guard against default value mutation with read-only types. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-13 15:31:27 -07:00
Anders Kaseorg 5ad33c9d62 install-semgrep: Upgrade semgrep to 0.9.0. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-06-05 09:35:11 -07:00
Aman Agrawal 0504c61bfd semgrep: Use pattern-where-python operator to filter patterns. 
See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md#pattern-where-python for usage.

This helps us minimize duplication of similar patterns.
 2020-05-20 09:37:26 -07:00
Anders Kaseorg b501d04f6a semgrep: Lint against common SQL injection patterns. 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-05-04 09:35:30 -07:00
Anders Kaseorg bdc365d0fe logging: Pass format arguments to logging. 
https://docs.python.org/3/howto/logging.html#optimization

Signed-off-by: Anders Kaseorg <anders@zulip.com>
 2020-05-02 10:18:02 -07:00
Aman Agrawal 9089fd5b08 semgrep: Remove unrequired file exclude. 
This file doen't contain any matching pattern which violates the
rule.
 2020-05-01 11:08:47 -07:00
Aman Agrawal af0c267cd4 semgrep: Move migrations import check lint rule to semgrep. 
We change how a few imports in migrations are done to be easier to
lint and more consitsent with our typical import style.
 2020-05-01 11:07:53 -07:00
Aman Agrawal 8e29c88beb semgrep: Add rule to enforce no use of stream.objects.filter. 2020-05-01 11:01:14 -07:00
Aman Agrawal 06c831f146 semgrep: Reformat and correct doc link. 2020-05-01 11:01:14 -07:00
Aman Agrawal 5ab62a3514 sgrep/semgrep: Updgrade and rename sgrep to semgrep. 
With its new upgrade, sgrep has been renamed to semgrep.

Rename sgrep.yml to semgrep.yml
 2020-05-01 11:01:14 -07:00