[Security] Add Bandit (#795)

2025-03-01 19:19:26 +01:00 · 2025-03-01 19:19:26 +01:00 · 8861546ad8
parent 9c1a893ee3
commit 8861546ad8
6 changed files with 67 additions and 38 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -2,6 +2,7 @@ exclude: ^(tests/data)
 default_language_version:
    python: python3.10
 repos:
+  ##### Style / Misc. #####
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
@ -14,7 +15,7 @@ repos:
      - id: end-of-file-fixer
      - id: trailing-whitespace
  - repo: https://github.com/crate-ci/typos
-    rev: v1.29.10
+    rev: v1.30.0
    hooks:
      - id: typos
        args: [--force-exclude]
@ -23,16 +24,24 @@ repos:
    hooks:
    -   id: pyupgrade
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.6
+    rev: v0.9.9
    hooks:
      - id: ruff
        args: [--fix]
      - id: ruff-format
+
+  ##### Security #####
  - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.23.3
+    rev: v8.24.0
    hooks:
      - id: gitleaks
  - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.3.1
+    rev: v1.4.1
    hooks:
      - id: zizmor
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.3
+    hooks:
+    - id: bandit
+      args: ["-c", "pyproject.toml"]
+      additional_dependencies: ["bandit[toml]"]
--- a/lerobot/common/utils/utils.py
+++ b/lerobot/common/utils/utils.py
@ -17,6 +17,7 @@ import logging
 import os
 import os.path as osp
 import platform
+import subprocess
 from copy import copy
 from datetime import datetime, timezone
 from pathlib import Path
@ -165,23 +166,31 @@ def capture_timestamp_utc():


 def say(text, blocking=False):
-    # Check if mac, linux, or windows.
-    if platform.system() == "Darwin":
-        cmd = f'say "{text}"'
-        if not blocking:
-            cmd += " &"
-    elif platform.system() == "Linux":
-        cmd = f'spd-say "{text}"'
-        if blocking:
-            cmd += "  --wait"
-    elif platform.system() == "Windows":
-        # TODO(rcadene): Make blocking option work for Windows
-        cmd = (
-            'PowerShell -Command "Add-Type -AssemblyName System.Speech; '
-            f"(New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('{text}')\""
-        )
+    system = platform.system()

-    os.system(cmd)
+    if system == "Darwin":
+        cmd = ["say", text]
+
+    elif system == "Linux":
+        cmd = ["spd-say", text]
+        if blocking:
+            cmd.append("--wait")
+
+    elif system == "Windows":
+        cmd = [
+            "PowerShell",
+            "-Command",
+            "Add-Type -AssemblyName System.Speech; "
+            f"(New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('{text}')",
+        ]
+
+    else:
+        raise RuntimeError("Unsupported operating system for text-to-speech.")
+
+    if blocking:
+        subprocess.run(cmd, check=True)
+    else:
+        subprocess.Popen(cmd, creationflags=subprocess.CREATE_NO_WINDOW if system == "Windows" else 0)


 def log_say(text, play_sounds, blocking=False):
--- a/lerobot/scripts/eval.py
+++ b/lerobot/scripts/eval.py
@ -454,7 +454,7 @@ def _compile_episode_data(


@parser.wrap()
-def eval(cfg: EvalPipelineConfig):
+def eval_main(cfg: EvalPipelineConfig):
    logging.info(pformat(asdict(cfg)))

    # Check device is available
@ -499,4 +499,4 @@ def eval(cfg: EvalPipelineConfig):

 if __name__ == "__main__":
    init_logging()
-    eval()
+    eval_main()
--- a/lerobot/scripts/visualize_dataset_html.py
+++ b/lerobot/scripts/visualize_dataset_html.py
@ -194,7 +194,7 @@ def run_server(
            ]

            response = requests.get(
-                f"https://huggingface.co/datasets/{repo_id}/resolve/main/meta/episodes.jsonl"
+                f"https://huggingface.co/datasets/{repo_id}/resolve/main/meta/episodes.jsonl", timeout=5
            )
            response.raise_for_status()
            # Split into lines and parse each line as JSON
@ -318,7 +318,9 @@ def get_episode_language_instruction(dataset: LeRobotDataset, ep_index: int) ->


 def get_dataset_info(repo_id: str) -> IterableNamespace:
-    response = requests.get(f"https://huggingface.co/datasets/{repo_id}/resolve/main/meta/info.json")
+    response = requests.get(
+        f"https://huggingface.co/datasets/{repo_id}/resolve/main/meta/info.json", timeout=5
+    )
    response.raise_for_status()  # Raises an HTTPError for bad responses
    dataset_info = response.json()
    dataset_info["repo_id"] = repo_id
--- a/pyproject.toml
+++ b/pyproject.toml
@ -111,10 +111,19 @@ exclude = [
    "venv",
 ]

-
 [tool.ruff.lint]
 select = ["E4", "E7", "E9", "F", "I", "N", "B", "C4", "SIM"]

+[tool.bandit]
+exclude_dirs = [
+    "tests",
+    "benchmarks",
+    "lerobot/common/datasets/push_dataset_to_hub",
+    "lerobot/common/datasets/v2/convert_dataset_v1_to_v2",
+    "lerobot/common/policies/pi0/conversion_scripts",
+    "lerobot/scripts/push_dataset_to_hub.py",
+]
+skips = ["B101", "B311", "B404", "B603"]

 [tool.typos]
 default.extend-ignore-re = [