Enable S rule

[artem-shelkovnikov]

Slightly controversial potentially rule:

Enabling "S" rule for linter: https://pypi.org/project/flake8-bandit/

There are a lot of subrules, but generally this group is about security-related issues.

Reported problems:

connectors/sources/directory.py:60:16: S324 Probable use of insecure hash functions in `hashlib`: `md5`
connectors/sources/dropbox.py:67:20: S105 Possible hardcoded password assigned to: "ACCESS_TOKEN"
connectors/sources/microsoft_teams.py:63:31: S105 Possible hardcoded password assigned to: "GRAPH_ACQUIRE_TOKEN_URL"
connectors/sources/mssql.py:56:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mssql.py:60:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mssql.py:64:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mssql.py:68:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mssql.py:72:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:57:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:60:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:63:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:66:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:69:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/mysql.py:474:38: S608 Possible SQL injection vector through string-based query construction
connectors/sources/oracle.py:42:13: S608 Possible SQL injection vector through string-based query construction
connectors/sources/oracle.py:47:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/oracle.py:51:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/oracle.py:55:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/oracle.py:59:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/outlook.py:620:17: S112 `try`-`except`-`continue` detected, consider logging the exception
connectors/sources/postgresql.py:52:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/postgresql.py:57:13: S608 Possible SQL injection vector through string-based query construction
connectors/sources/postgresql.py:64:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/postgresql.py:68:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/postgresql.py:72:16: S608 Possible SQL injection vector through string-based query construction
connectors/sources/s3.py:193:18: S324 Probable use of insecure hash functions in `hashlib`: `md5`
connectors/sources/salesforce.py:32:18: S105 Possible hardcoded password assigned to: "TOKEN_ENDPOINT"
connectors/utils.py:220:36: S602 `subprocess` call with `shell=True` identified, security issue
connectors/utils.py:418:9: S110 `try`-`except`-`pass` detected, consider logging the exception
connectors/utils.py:641:12: S324 Probable use of insecure hash functions in `hashlib`: `md5`

All SQL-reported problems will be investigated and fixed later, thus I've added an ignore rule for now, all others I've manually checked and marked as non-problem.

For now I've also ignored it in test files, manually checking them, but would like to discuss it further - to me it makes sense to enable it for tests too, so that if some credentials are leaked by accident, then the linter will complain.

[navarone-feekery]

Wild that it thinks this is a password 🤷🏻

[artem-shelkovnikov]

Yeah I think the word "TOKEN" triggered it

[navarone-feekery]

Out of curiosity, why did get_event_loop have to be moved?

[artem-shelkovnikov]

Cause it had a "try/except" with except that does nothing. I've added a logger statement there and moved to the only place where the function is used

[navarone-feekery]

For now I've also ignored it in test files, manually checking them, but would like to discuss it further - to me it makes sense to enable it for tests too, so that if some credentials are leaked by accident, then the linter will complain.

I agree having this on for tests makes sense. If it ends up raising too many false positives then we can always disable it.

[github-actions]

💔 Failed to create backport PR(s)

The backport operation could not be completed due to the following error:
There are no branches to backport to. Aborting.

The backport PRs will be merged automatically after passing CI.

To backport manually run:
backport --pr 1857 --autoMerge --autoMergeMethod squash