diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-12-01 11:48:43 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-12-01 11:48:43 +0100 |
| commit | e239ce326755e476521e35d7cbb680d1358b5883 (patch) | |
| tree | ed76a3c850053285fab752d0b0f16f0e7a66f51b | |
| parent | 679f1fbd3579d5433f2a85917de3d2a812253c2c (diff) | |
| download | Ishtar-e239ce326755e476521e35d7cbb680d1358b5883.tar.bz2 Ishtar-e239ce326755e476521e35d7cbb680d1358b5883.zip | |
🔒️ fix bandit warnings
| -rw-r--r-- | archaeological_finds/models_treatments.py | 5 | ||||
| -rw-r--r-- | archaeological_finds/tests.py | 7 | ||||
| -rw-r--r-- | ishtar_common/models_imports.py | 3 | ||||
| -rw-r--r-- | ishtar_common/utils_secretary.py | 19 |
4 files changed, 22 insertions, 12 deletions
diff --git a/archaeological_finds/models_treatments.py b/archaeological_finds/models_treatments.py index 69f0d9d69..ebe842ac7 100644 --- a/archaeological_finds/models_treatments.py +++ b/archaeological_finds/models_treatments.py @@ -18,8 +18,9 @@ # See the file COPYING for details. import datetime -import lxml.etree -import lxml.builder +# nosec: used to build a controlled XML +import lxml.etree # nosec +import lxml.builder # nosec import os import shutil import tempfile diff --git a/archaeological_finds/tests.py b/archaeological_finds/tests.py index 26e9b6dc5..f105093fd 100644 --- a/archaeological_finds/tests.py +++ b/archaeological_finds/tests.py @@ -2066,7 +2066,8 @@ class FindPermissionTest(FindInit, TestPermissionQuery, TestCase): username, password, user = create_superuser() self.users["superuser"] = (username, password, user) - upstream_username, upstream_password, upstream_user = create_user( + # nosec: hard coded password for test purposes + upstream_username, upstream_password, upstream_user = create_user( # nosec username="up", password="up" ) UserProfile.objects.create( @@ -2121,8 +2122,8 @@ class FindPermissionTest(FindInit, TestPermissionQuery, TestCase): self.operations[-1].context_record.all()[0].ishtar_users.add( upstream_user.ishtaruser ) - - associated_username, associated_password, associated_user = create_user( + # nosec: hard coded password for test purposes + associated_username, associated_password, associated_user = create_user( # nosec username="as", password="as" ) UserProfile.objects.create( diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py index 3d8cce882..528201927 100644 --- a/ishtar_common/models_imports.py +++ b/ishtar_common/models_imports.py @@ -2368,7 +2368,8 @@ class Import(BaseImport): if not col_numbers: return last_column = max(col_numbers) - filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv" + # random is not used for cryptographic purpose + filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv" # nosec try: data.to_csv(filename, index=False, columns=data.columns[range(last_column)], diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py index 0ce4732d4..77a2cbc9b 100644 --- a/ishtar_common/utils_secretary.py +++ b/ishtar_common/utils_secretary.py @@ -2,8 +2,9 @@ # -*- coding: utf-8 -*- import re from secretary import Renderer -from lxml import etree -from xml.dom.minidom import parseString +# source files is from admin user this should be safe +from lxml import etree # nosec +from xml.dom.minidom import parseString # nosec from xml.parsers.expat import ExpatError, ErrorString from PIL import Image @@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer): result = jinja_template.render(**kwargs) # try to fix xml with mismatched tags - parser = etree.XMLParser(recover=True) - recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser) - - final_xml = parseString(etree.tostring(recovered_xml)) + # source files is from admin user this should be safe + parser = etree.XMLParser(recover=True) # nosec + recovered_xml = etree.fromstring( + result.encode("ascii", "xmlcharrefreplace"), + parser) + + # source files is from admin user this should be safe + final_xml = parseString( # nosec + etree.tostring(recovered_xml) + ) if self.template_images: self.replace_images(final_xml) |