Fix tests, add lint and test workflows (#20)

* Added urlopen version of safe_requests get * Added test workflow and some linting * Added pre-commit hooks + overall linting * Added test instructions for readme * Removed nonexistent exclusions in pre-commit config
pixee · May 7, 2024 · 8adf7c6 · 8adf7c6
1 parent 780b236
commit 8adf7c6
Show file tree

Hide file tree

Showing 16 changed files with 740 additions and 340 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,22 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  merge_group:
+
+concurrency:
+  group: (${{ github.workflow }}-${{ github.event.inputs.branch || github.event.pull_request.head.ref }})
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+    - uses: pre-commit/action@v3.0.1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,59 @@
+name: Unit Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  merge-group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build Package
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set Up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+      - name: Install build dependencies
+        run: pip install build twine
+      - name: Build package
+        run: python -m build .
+      - name: Twine Check
+        run: twine check dist/*
+  test:
+    name: Run pytest
+    runs-on: ubuntu-22.04
+    timeout-minutes: 25
+    strategy:
+      matrix:
+        python-version: ['3.10',  '3.11', '3.12']
+    steps:
+      - name: install netcat
+        run: apt update && apt install -y netcat
+      - name: make bash default shell
+        run: ln -sf /bin/bash /bin/sh
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set Up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+      - name: Install Codemodder Package
+        run: pip install .
+      - name: Install Dependencies
+        run: pip install -r dev_requirements.txt
+      - name: Run unit tests
+        run: pytest
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,13 +1,38 @@
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v4.6.0
     hooks:
     -   id: check-yaml
     -   id: check-json
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
     -   id: check-added-large-files
 -   repo: https://github.com/psf/black
-    rev: 23.3.0
+    rev: 24.4.0
     hooks:
     -   id: black
+- repo: https://github.com/pre-commit/mirrors-mypy
+  rev: v1.9.0
+  hooks:
+   - id: mypy
+     args: [--disable-error-code=has-type,--disable-error-code=import-not-found]
+     additional_dependencies:
+       [
+         "types-jsonschema~=4.21.0",
+         "types-mock==5.0.*",
+         "types-PyYAML==6.0",
+         "types-toml~=0.10",
+         "types-requests~=2.13",
+    ]
+- repo: https://github.com/astral-sh/ruff-pre-commit
+  rev: v0.3.7
+  hooks:
+    - id: ruff
+    # todo: replace black with this?
+    # Run the formatter.
+    # - id: ruff-format
+- repo: https://github.com/pycqa/isort
+  rev: 5.13.2
+  hooks:
+    - id: isort
+      args: ["--profile", "black"]
diff --git a/LICENSE.txt b/LICENSE.txt
@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1 +1 @@
-include README.md LICENSE.txt
+include README.md LICENSE.txt
diff --git a/README.md b/README.md
@@ -10,3 +10,11 @@ Many of the APIs provided are meant to be drop-in replacements that either offer
 To install this package from PyPI, use the following command:
 
 `pip install security`
+
+## Running tests
+
+DO NOT RUN TESTS LOCALLY WITHOUT A VM/CONTAINER.
+
+Tests will try to run "dangerous" commands (i.e. curl, netcat, etc.) and try to access sensitive files (i.e. sudoers, passwd, etc.). We do so to test the our abilities to detect and filter these types of attacks.
+
+While all these commands are devised as innocuous, it is still not a good idea to risk exposure. They also require a specific environment to pass. We recommend using something like [act](https://github.com/nektos/act) to run the github workflow locally within a container for local development.
diff --git a/src/security/safe_command/__init__.py b/src/security/safe_command/__init__.py
@@ -1 +1,3 @@
 from .api import call, run
+
+__all__ = ["call", "run"]
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		include README.md LICENSE.txt
		include README.md LICENSE.txt
Original file line number	Diff line number	Diff line change
		@@ -1 +1,3 @@
		from .api import call, run

		__all__ = ["call", "run"]