Merge pull request #1614 from huge-success/asgi-custom-request

Add custom request support to ASGI mode; fix a couple tests

.travis.yml

@@ -21,6 +21,10 @@ matrix:
       python: 3.6
     - env: TOX_ENV=check
       python: 3.6
+    - env: TOX_ENV=security
+      python: 3.7
+      dist: xenial
+      sudo: true
 install:
   - pip install -U tox
   - pip install codecov

CHANGELOG.md

@@ -2,11 +2,38 @@ Version 19.6
 ------------
 19.6.0
   - Changes:
-    - Remove `aiohttp` dependencey and create new `SanicTestClient` based upon
+    - [#1562](https://github.com/huge-success/sanic/pull/1562)
-    [`requests-async`](https://github.com/encode/requests-async).
+      Remove `aiohttp` dependencey and create new `SanicTestClient` based upon
+      [`requests-async`](https://github.com/encode/requests-async).
+
+    - [#1475](https://github.com/huge-success/sanic/pull/1475)
+      Added ASGI support (Beta)
+
+    - [#1436](https://github.com/huge-success/sanic/pull/1436)
+      Add Configure support from object string
+
+    - [#1544](https://github.com/huge-success/sanic/pull/1544)
+      Drop dependency on distutil
+
+  - Fixes:
+    - [#1587](https://github.com/huge-success/sanic/pull/1587)
+      Add missing handle for Expect header.
+
+    - [#1560](https://github.com/huge-success/sanic/pull/1560)
+      Allow to disable Transfer-Encoding: chunked.
+
+    - [#1558](https://github.com/huge-success/sanic/pull/1558)
+      Fix graceful shutdown.
+
+    - [#1594](https://github.com/huge-success/sanic/pull/1594)
+      Strict Slashes behavior fix
 
   - Deprecation:
-    - Support for Python 3.5
+    - [#1562](https://github.com/huge-success/sanic/pull/1562)
+      Drop support for Python 3.5
+
+    - [#1568](https://github.com/huge-success/sanic/pull/1568)
+      Deprecate route removal.
 
 Note: Sanic will not support Python 3.5 from version 19.6 and forward. However,
 version 18.12LTS will have its support period extended thru December 2020, and

docs/sanic/changelog.md

@@ -1,21 +1,49 @@
-Version 19.6
+# Changelog
-------------
+
-19.6.0
+## Version 19.6
+
   - Changes:
-    - Remove `aiohttp` dependencey and create new `SanicTestClient` based upon
+    - [#1562](https://github.com/huge-success/sanic/pull/1562)
-    [`requests-async`](https://github.com/encode/requests-async).
+      Remove `aiohttp` dependencey and create new `SanicTestClient` based upon
+      [`requests-async`](https://github.com/encode/requests-async).
+
+    - [#1475](https://github.com/huge-success/sanic/pull/1475)
+      Added ASGI support (Beta)
+
+    - [#1436](https://github.com/huge-success/sanic/pull/1436)
+      Add Configure support from object string
+
+    - [#1544](https://github.com/huge-success/sanic/pull/1544)
+      Drop dependency on distutil
+
+  - Fixes:
+    - [#1587](https://github.com/huge-success/sanic/pull/1587)
+      Add missing handle for Expect header.
+
+    - [#1560](https://github.com/huge-success/sanic/pull/1560)
+      Allow to disable Transfer-Encoding: chunked.
+
+    - [#1558](https://github.com/huge-success/sanic/pull/1558)
+      Fix graceful shutdown.
+
+    - [#1594](https://github.com/huge-success/sanic/pull/1594)
+      Strict Slashes behavior fix
 
   - Deprecation:
-    - Support for Python 3.5
+    - [#1562](https://github.com/huge-success/sanic/pull/1562)
+      Drop support for Python 3.5
+
+    - [#1568](https://github.com/huge-success/sanic/pull/1568)
+      Deprecate route removal.
 
 Note: Sanic will not support Python 3.5 from version 19.6 and forward. However,
 version 18.12LTS will have its support period extended thru December 2020, and
 therefore passing Python's official support version 3.5, which is set to expire
 in September 2020.
 
-Version 19.3
+
--------------
+## Version 19.3
-19.3.1
+
   - Changes:
     - [#1497](https://github.com/huge-success/sanic/pull/1497)
       Add support for zero-length and RFC 5987 encoded filename for
@@ -124,9 +152,8 @@ Version 19.3
 
 Note: 19.3.0 was skipped for packagement purposes and not released on PyPI
 
-Version 18.12
+## Version 18.12
--------------
+
-18.12.0
   - Changes:
     - Improved codebase test coverage from 81% to 91%.
     - Added stream_large_files and host examples in static_file document
@@ -160,8 +187,8 @@ Version 18.12
     - Fix pickling blueprints Change the string passed in the "name" section of the namedtuples in Blueprint to match the name of the Blueprint module attribute name. This allows blueprints to be pickled and unpickled, without errors, which is a requirment of running Sanic in multiprocessing mode in Windows. Added a test for pickling and unpickling blueprints Added a test for pickling and unpickling sanic itself Added a test for enabling multiprocessing on an app with a blueprint (only useful to catch this bug if the tests are run on Windows).
     - Fix document for logging
 
-Version 0.8
+## Version 0.8
------------
+
 0.8.3
   - Changes:
     - Ownership changed to org 'huge-success'
@@ -237,8 +264,8 @@ Version 0.8
 
 Note: Changelog was unmaintained between 0.1 and 0.7
 
-Version 0.1
+## Version 0.1
------------
+
  - 0.1.7
   - Reversed static url and directory arguments to meet spec
  - 0.1.6

docs/sanic/request_data.md

@@ -145,13 +145,17 @@ The following variables are accessible as properties on `Request` objects:
 
   ```
 - `url`: The full URL of the request, ie: `http://localhost:8000/posts/1/?foo=bar`
-- `scheme`: The URL scheme associated with the request: `http` or `https`
+- `scheme`: The URL scheme associated with the request: 'http|https|ws|wss' or arbitrary value given by the headers.
-- `host`: The host associated with the request: `localhost:8080`
+- `host`: The host associated with the request(which in the `Host` header): `localhost:8080`
+- `server_name`: The hostname of the server, without port number. the value is seeked in this order: `config.SERVER_NAME`, `x-forwarded-host` header, :func:`Request.host`
+- `server_port`: Like `server_name`. Seeked in this order: `x-forwarded-port` header, :func:`Request.host`, actual port used by the transport layer socket.
 - `path`: The path of the request: `/posts/1/`
 - `query_string`: The query string of the request: `foo=bar` or a blank string `''`
 - `uri_template`: Template for matching route handler: `/posts/<id>/`
 - `token`: The value of Authorization header: `Basic YWRtaW46YWRtaW4=`
 
+- `url_for`: Just like `sanic.Sanic.url_for`, but automatically determine `scheme` and `netloc` base on the request. Since this method is aiming to generate correct schema & netloc, `_external` is implied.
+
 
 ## Changing the default parsing rules of the queryset
 

docs/sanic/routing.md

@@ -41,27 +41,75 @@ inside the quotes. If the parameter does not match the specified type, Sanic
 will throw a `NotFound` exception, resulting in a `404: Page not found` error
 on the URL.
 
+### Supported types
+
+* `string`
+    * "Bob"
+    * "Python 3"
+* `int`
+    * 10
+    * 20
+    * 30
+    * -10
+    * (No floats work here)
+* `number`
+    * 1
+    * 1.5
+    * 10
+    * -10
+* `alpha`
+    * "Bob"
+    * "Python"
+    * (If it contains a symbol or a non alphanumeric character it will fail)
+* `path`
+    * "hello"
+    * "hello.text"
+    * "hello world"
+* `uuid`
+    * 123a123a-a12a-1a1a-a1a1-1a12a1a12345 (UUIDv4 Support)
+* `regex expression`
+
+If no type is set then a string is expected. The argument given to the function will always be a string, independent of the type.
+
 ```python
 from sanic.response import text
 
-@app.route('/number/<integer_arg:int>')
+@app.route('/string/<string_arg:string>')
+async def string_handler(request, string_arg):
+    return text('String - {}'.format(string_arg))
+
+@app.route('/int/<integer_arg:int>')
 async def integer_handler(request, integer_arg):
-	return text('Integer - {}'.format(integer_arg))
+    return text('Integer - {}'.format(integer_arg))
 
 @app.route('/number/<number_arg:number>')
 async def number_handler(request, number_arg):
-	return text('Number - {}'.format(number_arg))
+    return text('Number - {}'.format(number_arg))
+
+@app.route('/alpha/<alpha_arg:alpha>')
+async def number_handler(request, alpha_arg):
+    return text('Alpha - {}'.format(alpha_arg))
+    
+@app.route('/path/<path_arg:path>')
+async def number_handler(request, path_arg):
+    return text('Path - {}'.format(path_arg))
+
+@app.route('/uuid/<uuid_arg:uuid>')
+async def number_handler(request, uuid_arg):
+    return text('Uuid - {}'.format(uuid_arg))
 
 @app.route('/person/<name:[A-z]+>')
 async def person_handler(request, name):
-	return text('Person - {}'.format(name))
+    return text('Person - {}'.format(name))
 
 @app.route('/folder/<folder_id:[A-z0-9]{0,4}>')
 async def folder_handler(request, folder_id):
-	return text('Folder - {}'.format(folder_id))
+    return text('Folder - {}'.format(folder_id))
 
 ```
 
+**Warning** `str` is not a valid type tag. If you want `str` recognition then you must use `string` 
+
 ## HTTP request types
 
 By default, a route defined on a URL will be available for only GET requests to that URL.

docs/sanic/websocket.rst

@@ -1,7 +1,7 @@
 WebSocket
 =========
 
-Sanic provides an easy to user abstraction on top of `websockets`. To setup a WebSocket:
+Sanic provides an easy to use abstraction on top of `websockets`. To setup a WebSocket:
 
 .. code:: python
 

sanic/asgi.py

@@ -88,7 +88,7 @@ class MockTransport:
         self._websocket_connection = WebSocketConnection(send, receive)
         return self._websocket_connection
 
-    def add_task(self) -> None:  # noqa
+    def add_task(self) -> None:
         raise NotImplementedError
 
     async def send(self, data) -> None:
@@ -119,27 +119,20 @@ class Lifespan:
                 "the ASGI server is stopped."
             )
 
-    # async def pre_startup(self) -> None:
-    #     for handler in self.asgi_app.sanic_app.listeners[
-    #         "before_server_start"
-    #     ]:
-    #         response = handler(
-    #             self.asgi_app.sanic_app, self.asgi_app.sanic_app.loop
-    #         )
-    #         if isawaitable(response):
-    #             await response
-
     async def startup(self) -> None:
-        for handler in self.asgi_app.sanic_app.listeners[
+        """
-            "before_server_start"
+        Gather the listeners to fire on server start.
-        ]:
+        Because we are using a third-party server and not Sanic server, we do
-            response = handler(
+        not have access to fire anything BEFORE the server starts.
-                self.asgi_app.sanic_app, self.asgi_app.sanic_app.loop
+        Therefore, we fire before_server_start and after_server_start
-            )
+        in sequence since the ASGI lifespan protocol only supports a single
-            if isawaitable(response):
+        startup event.
-                await response
+        """
+        listeners = self.asgi_app.sanic_app.listeners.get(
+            "before_server_start", []
+        ) + self.asgi_app.sanic_app.listeners.get("after_server_start", [])
 
-        for handler in self.asgi_app.sanic_app.listeners["after_server_start"]:
+        for handler in listeners:
             response = handler(
                 self.asgi_app.sanic_app, self.asgi_app.sanic_app.loop
             )
@@ -147,14 +140,19 @@ class Lifespan:
                 await response
 
     async def shutdown(self) -> None:
-        for handler in self.asgi_app.sanic_app.listeners["before_server_stop"]:
+        """
-            response = handler(
+        Gather the listeners to fire on server stop.
-                self.asgi_app.sanic_app, self.asgi_app.sanic_app.loop
+        Because we are using a third-party server and not Sanic server, we do
-            )
+        not have access to fire anything AFTER the server stops.
-            if isawaitable(response):
+        Therefore, we fire before_server_stop and after_server_stop
-                await response
+        in sequence since the ASGI lifespan protocol only supports a single
+        shutdown event.
+        """
+        listeners = self.asgi_app.sanic_app.listeners.get(
+            "before_server_stop", []
+        ) + self.asgi_app.sanic_app.listeners.get("after_server_stop", [])
 
-        for handler in self.asgi_app.sanic_app.listeners["after_server_stop"]:
+        for handler in listeners:
             response = handler(
                 self.asgi_app.sanic_app, self.asgi_app.sanic_app.loop
             )
@@ -223,7 +221,8 @@ class ASGIApp:
                 # TODO:
                 # - close connection
 
-            instance.request = Request(
+            request_class = sanic_app.request_class or Request
+            instance.request = request_class(
                 url_bytes,
                 headers,
                 version,

sanic/blueprint_group.py

@@ -1,4 +1,4 @@
-from collections import MutableSequence
+from collections.abc import MutableSequence
 
 
 class BlueprintGroup(MutableSequence):

sanic/config.py

@@ -80,7 +80,7 @@ class Config(dict):
         module.__file__ = filename
         try:
             with open(filename) as config_file:
-                exec(
+                exec(  # nosec
                     compile(config_file.read(), filename, "exec"),
                     module.__dict__,
                 )

sanic/request.py

@@ -27,7 +27,6 @@ except ImportError:
     else:
         json_loads = json.loads
 
-
 DEFAULT_HTTP_CONTENT_TYPE = "application/octet-stream"
 EXPECT_HEADER = "EXPECT"
 
@@ -329,12 +328,18 @@ class Request(dict):
 
     @property
     def ip(self):
+        """
+        :return: peer ip of the socket
+        """
         if not hasattr(self, "_socket"):
             self._get_address()
         return self._ip
 
     @property
     def port(self):
+        """
+        :return: peer port of the socket
+        """
         if not hasattr(self, "_socket"):
             self._get_address()
         return self._port
@@ -353,6 +358,39 @@ class Request(dict):
         self._ip = self._socket[0]
         self._port = self._socket[1]
 
+    @property
+    def server_name(self):
+        """
+        Attempt to get the server's hostname in this order:
+        `config.SERVER_NAME`, `x-forwarded-host` header, :func:`Request.host`
+
+        :return: the server name without port number
+        :rtype: str
+        """
+        return (
+            self.app.config.get("SERVER_NAME")
+            or self.headers.get("x-forwarded-host")
+            or self.host.split(":")[0]
+        )
+
+    @property
+    def server_port(self):
+        """
+        Attempt to get the server's port in this order:
+        `x-forwarded-port` header, :func:`Request.host`, actual port used by
+        the transport layer socket.
+        :return: server port
+        :rtype: int
+        """
+        forwarded_port = self.headers.get("x-forwarded-port") or (
+            self.host.split(":")[1] if ":" in self.host else None
+        )
+        if forwarded_port:
+            return int(forwarded_port)
+        else:
+            _, port = self.transport.get_extra_info("sockname")
+            return port
+
     @property
     def remote_addr(self):
         """Attempt to return the original client ip based on X-Forwarded-For
@@ -393,6 +431,20 @@ class Request(dict):
 
     @property
     def scheme(self):
+        """
+        Attempt to get the request scheme.
+        Seeking the value in this order:
+        `x-forwarded-proto` header, `x-scheme` header, the sanic app itself.
+
+        :return: http|https|ws|wss or arbitrary value given by the headers.
+        :rtype: str
+        """
+        forwarded_proto = self.headers.get(
+            "x-forwarded-proto"
+        ) or self.headers.get("x-scheme")
+        if forwarded_proto:
+            return forwarded_proto
+
         if (
             self.app.websocket_enabled
             and self.headers.get("upgrade") == "websocket"
@@ -408,8 +460,12 @@ class Request(dict):
 
     @property
     def host(self):
+        """
+        :return: the Host specified in the header, may contains port number.
+        """
         # it appears that httptools doesn't return the host
         # so pull it from the headers
+
         return self.headers.get("Host", "")
 
     @property
@@ -438,6 +494,31 @@ class Request(dict):
             (self.scheme, self.host, self.path, None, self.query_string, None)
         )
 
+    def url_for(self, view_name, **kwargs):
+        """
+        Same as :func:`sanic.Sanic.url_for`, but automatically determine
+        `scheme` and `netloc` base on the request. Since this method is aiming
+        to generate correct schema & netloc, `_external` is implied.
+
+        :param kwargs: takes same parameters as in :func:`sanic.Sanic.url_for`
+        :return: an absolute url to the given view
+        :rtype: str
+        """
+        scheme = self.scheme
+        host = self.server_name
+        port = self.server_port
+
+        if (scheme.lower() in ("http", "ws") and port == 80) or (
+            scheme.lower() in ("https", "wss") and port == 443
+        ):
+            netloc = host
+        else:
+            netloc = "{}:{}".format(host, port)
+
+        return self.app.url_for(
+            view_name, _external=True, _scheme=scheme, _server=netloc, **kwargs
+        )
+
 
 File = namedtuple("File", ["type", "body", "name"])
 

setup.py

@@ -112,7 +112,7 @@ if strtobool(os.environ.get("SANIC_NO_UVLOOP", "no")):
 
 extras_require = {
     "test": tests_require,
-    "dev": tests_require + ["aiofiles", "tox", "black", "flake8"],
+    "dev": tests_require + ["aiofiles", "tox", "black", "flake8", "bandit"],
     "docs": [
         "sphinx",
         "sphinx_rtd_theme",

tests/test_asgi.py

@@ -5,8 +5,11 @@ from collections import deque
 import pytest
 import uvicorn
 
+from sanic import Sanic
 from sanic.asgi import MockTransport
 from sanic.exceptions import InvalidUsage
+from sanic.request import Request
+from sanic.response import text
 from sanic.websocket import WebSocketConnection
 
 
@@ -201,3 +204,28 @@ def test_improper_websocket_connection(transport, send, receive):
     transport.create_websocket_connection(send, receive)
     connection = transport.get_websocket_connection()
     assert isinstance(connection, WebSocketConnection)
+
+
+@pytest.mark.asyncio
+async def test_request_class_regular(app):
+    @app.get("/regular")
+    def regular_request(request):
+        return text(request.__class__.__name__)
+
+    _, response = await app.asgi_client.get("/regular")
+    assert response.body == b"Request"
+
+
+@pytest.mark.asyncio
+async def test_request_class_custom():
+    class MyCustomRequest(Request):
+        pass
+
+    app = Sanic(request_class=MyCustomRequest)
+
+    @app.get("/custom")
+    def custom_request(request):
+        return text(request.__class__.__name__)
+
+    _, response = await app.asgi_client.get("/custom")
+    assert response.body == b"MyCustomRequest"

tests/test_config.py

@@ -19,8 +19,8 @@ def temp_path():
 
 
 class ConfigTest:
-        not_for_config = 'should not be used'
+    not_for_config = "should not be used"
-        CONFIG_VALUE = 'should be used'
+    CONFIG_VALUE = "should be used"
 
 
 def test_load_from_object(app):
@@ -31,15 +31,15 @@ def test_load_from_object(app):
 
 
 def test_load_from_object_string(app):
-    app.config.from_object('test_config.ConfigTest')
+    app.config.from_object("test_config.ConfigTest")
-    assert 'CONFIG_VALUE' in app.config
+    assert "CONFIG_VALUE" in app.config
-    assert app.config.CONFIG_VALUE == 'should be used'
+    assert app.config.CONFIG_VALUE == "should be used"
-    assert 'not_for_config' not in app.config
+    assert "not_for_config" not in app.config
 
 
 def test_load_from_object_string_exception(app):
     with pytest.raises(ImportError):
-        app.config.from_object('test_config.Config.test')
+        app.config.from_object("test_config.Config.test")
 
 
 def test_auto_load_env():

tests/test_helpers.py

@@ -1,8 +1,9 @@
 import inspect
 
+import pytest
+
 from sanic import helpers
 from sanic.config import Config
-import pytest
 
 
 def test_has_message_body():
@@ -63,15 +64,15 @@ def test_remove_entity_headers():
 
 
 def test_import_string_class():
-    obj = helpers.import_string('sanic.config.Config')
+    obj = helpers.import_string("sanic.config.Config")
     assert isinstance(obj, Config)
 
 
 def test_import_string_module():
-    module = helpers.import_string('sanic.config')
+    module = helpers.import_string("sanic.config")
     assert inspect.ismodule(module)
 
 
 def test_import_string_exception():
     with pytest.raises(ImportError):
-        helpers.import_string('test.test.test')
+        helpers.import_string("test.test.test")

tests/test_requests.py

@@ -629,6 +629,21 @@ async def test_remote_addr_custom_headers_asgi(app):
     assert response.text == "127.0.0.2"
 
 
+def test_forwarded_scheme(app):
+    @app.route("/")
+    async def handler(request):
+        return text(request.remote_addr)
+
+    request, response = app.test_client.get("/")
+    assert request.scheme == 'http'
+
+    request, response = app.test_client.get("/", headers={'X-Forwarded-Proto': 'https'})
+    assert request.scheme == 'https'
+
+    request, response = app.test_client.get("/", headers={'X-Scheme': 'https'})
+    assert request.scheme == 'https'
+
+
 def test_match_info(app):
     @app.route("/api/v1/user/<user_id>/")
     async def handler(request, user_id):
@@ -1656,6 +1671,70 @@ def test_request_socket(app):
     assert hasattr(request, "_socket")
 
 
+def test_request_server_name(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/")
+    assert request.server_name == '127.0.0.1'
+
+
+def test_request_server_name_in_host_header(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={'Host': 'my_server:5555'})
+    assert request.server_name == 'my_server'
+
+
+def test_request_server_name_forwarded(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={
+        'Host': 'my_server:5555',
+        'X-Forwarded-Host': 'your_server'
+    })
+    assert request.server_name == 'your_server'
+
+
+def test_request_server_port(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={
+        'Host': 'my_server'
+    })
+    assert request.server_port == app.test_client.port
+
+
+def test_request_server_port_in_host_header(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={
+        'Host': 'my_server:5555'
+    })
+    assert request.server_port == 5555
+
+
+def test_request_server_port_forwarded(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={
+        'Host': 'my_server:5555',
+        'X-Forwarded-Port': '4444'
+    })
+    assert request.server_port == 4444
+
+
 def test_request_form_invalid_content_type(app):
     @app.route("/", methods=["POST"])
     async def post(request):
@@ -1666,6 +1745,38 @@ def test_request_form_invalid_content_type(app):
     assert request.form == {}
 
 
+def test_url_for_with_forwarded_request(app):
+    @app.get("/")
+    def handler(request):
+        return text("OK")
+
+    @app.get("/another_view/")
+    def view_name(request):
+        return text("OK")
+
+    request, response = app.test_client.get("/", headers={
+        'X-Forwarded-Proto': 'https',
+    })
+    assert app.url_for('view_name') == '/another_view'
+    assert app.url_for('view_name', _external=True) == 'http:///another_view'
+    assert request.url_for('view_name') == 'https://127.0.0.1:{}/another_view'.format(app.test_client.port)
+
+    app.config.SERVER_NAME = "my_server"
+    request, response = app.test_client.get("/", headers={
+        'X-Forwarded-Proto': 'https',
+        'X-Forwarded-Port': '6789',
+    })
+    assert app.url_for('view_name') == '/another_view'
+    assert app.url_for('view_name', _external=True) == 'http://my_server/another_view'
+    assert request.url_for('view_name') == 'https://my_server:6789/another_view'
+
+    request, response = app.test_client.get("/", headers={
+        'X-Forwarded-Proto': 'https',
+        'X-Forwarded-Port': '443',
+    })
+    assert request.url_for('view_name') == 'https://my_server/another_view'
+
+    
 @pytest.mark.asyncio
 async def test_request_form_invalid_content_type_asgi(app):
     @app.route("/", methods=["POST"])
@@ -1676,7 +1787,7 @@ async def test_request_form_invalid_content_type_asgi(app):
 
     assert request.form == {}
 
-
+    
 def test_endpoint_basic():
     app = Sanic()
 

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = py36, py37, {py36,py37}-no-ext, lint, check
+envlist = py36, py37, {py36,py37}-no-ext, lint, check, security
 
 [testenv]
 usedevelop = True
@@ -31,10 +31,11 @@ deps =
     flake8
     black
     isort
+    bandit
 
 commands =
     flake8 sanic
-    black --config ./.black.toml --check --verbose sanic
+    black --config ./.black.toml --check --verbose sanic/
     isort --check-only --recursive sanic
 
 [testenv:check]
@@ -47,3 +48,10 @@ commands =
 [pytest]
 filterwarnings =
     ignore:.*async with lock.* instead:DeprecationWarning
+
+[testenv:security]
+deps =
+    bandit
+
+commands =
+    bandit --recursive sanic --skip B404,B101 --exclude sanic/reloader_helpers.py