Fix security flagged issues:

README-DEV.rst

@@ -47,6 +47,10 @@ All tests require that your PYTHONPATH be set to the development tree:
  $ export PYTHONPATH=<path-to-nosql-python-sdk>/nosql-python-sdk/src:\
  $PYTHONPATH
 
+or
+
+ $ export PYTHONPATH=`realpath ..`/src:$PYTHONPATH
+
 If using on-premise Oracle NoSQL database with security enabled, the certificate
 path can be specified through the REQUESTS_CA_BUNDLE environment variable:
 

src/borneo/client.py

@@ -4,7 +4,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at
 #  https://oss.oracle.com/licenses/upl/
 #
-
+import urllib.parse
 from concurrent.futures import ThreadPoolExecutor
 from logging import DEBUG
 from platform import python_version
@@ -440,14 +440,31 @@ def _check_and_set_proxy(self, sess):
                 'password are required')
         if self._proxy_host is not None:
             if self._proxy_username is None:
-                proxy_url = (
-                        'http://' + self._proxy_host + ':' + str(self._proxy_port))
+                proxy_url = urllib.parse.urlunparse(
+                    (
+                        'http',
+                        self._proxy_host + ':' +
+                        str(self._proxy_port),
+                        '',
+                        '',
+                        '',
+                        ''
+                    ))
             else:
                 assert self._proxy_password is not None
-                proxy_url = (
-                        'http://' + self._proxy_username + ':' +
-                        self._proxy_password + '@' + self._proxy_host + ':' +
-                        str(self._proxy_port))
+                proxy_url = urllib.parse.urlunparse(
+                    (
+                        'http',
+                        urllib.parse.quote(self._proxy_username, safe='') +
+                        ':' + urllib.parse.quote(
+                            self._proxy_password, safe='') +
+                        '@' + self._proxy_host + ':' +
+                        str(self._proxy_port),
+                        '',
+                        '',
+                        '',
+                        ''
+                    ))
             sess.proxies = {'http': proxy_url, 'https': proxy_url}
 
     @staticmethod
@@ -615,7 +632,7 @@ def set_proxy_info(self, proxy_header):
         """
         if self._proxy_version is None and proxy_header is not None:
             versions = proxy_header.split()
-            # bail if not of correct format
+            # bail if not of the correct format
             if len(versions) >= 2:
                 self._proxy_version = versions[0].split('=')[1]
                 self._kv_version = versions[1].split('=')[1]

src/borneo/driver.py

@@ -4,7 +4,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at
 #  https://oss.oracle.com/licenses/upl/
 #
-
+import ssl
 from json import loads
 from logging import FileHandler, Formatter, WARNING, getLogger
 from os import mkdir, path
@@ -812,6 +812,9 @@ def _config_ssl_context(config):
                     ctx = create_default_context()
                 else:
                     ctx = SSLContext(config.get_ssl_protocol())
+                    ctx.load_default_certs()
+                    ctx.verify_mode = ssl.CERT_REQUIRED
+                    ctx.check_hostname = True
                 if config.get_ssl_cipher_suites() is not None:
                     ctx.set_ciphers(config.get_ssl_cipher_suites())
                 if config.get_ssl_ca_certs() is not None:

src/borneo/iam/iam.py

@@ -85,7 +85,7 @@ class SignatureProvider(AuthorizationProvider):
     When using a specific user's identity there are 3 options for providing the
     required information:
 
-    1. Using a instance of oci.signer.Signer or
+    1. Using an instance of oci.signer.Signer or
        oci.auth.signers.SecurityTokenSigner
     2. Directly providing the credentials via parameters
     3. Using a configuration file

src/borneo/kv/kv.py

@@ -278,10 +278,6 @@ def set_ssl_context(self, ssl_ctx):
         adapter = SSLAdapter(ssl_ctx)
         self._sess.mount(self._url.scheme + '://', adapter)
 
-    def set_url_for_test(self):
-        self._url = urlparse(self._url.geturl().replace('https', 'http'))
-        return self
-
     def validate_auth_string(self, auth_string):
         if self._is_secure and auth_string is None:
             raise IllegalArgumentException(

test/store_at_provider.py

@@ -6,6 +6,7 @@
 #
 import sys
 import unittest
+from urllib.parse import urlparse
 from requests import codes
 from socket import error
 from threading import Thread
@@ -128,10 +129,14 @@ def testAccessTokenProviderGets(self):
         self.assertEqual(self.token_provider.get_endpoint(), base)
         self.assertIsNone(self.token_provider.get_logger())
 
+    @staticmethod
+    def _set_url_for_test(token_provider):
+        token_provider._url = urlparse(token_provider._url.geturl().replace('https', 'http'))
+
     def testAccessTokenProviderGetAuthorizationString(self):
         self.token_provider = StoreAccessTokenProvider(USER_NAME, PASSWORD)
         self.token_provider.set_endpoint(self.base)
-        self.token_provider.set_url_for_test()
+        self._set_url_for_test(self.token_provider)
         # get authorization string.
         result = self.token_provider.get_authorization_string()
         self.assertIsNotNone(result)
@@ -147,7 +152,7 @@ def testAccessTokenProviderGetAuthorizationString(self):
     def testAccessTokenProviderMultiThreads(self):
         self.token_provider = StoreAccessTokenProvider(USER_NAME, PASSWORD)
         self.token_provider.set_endpoint(self.base)
-        self.token_provider.set_url_for_test()
+        self._set_url_for_test(self.token_provider)
         threads = list()
         for i in range(5):
             t = Thread(target=self._run)