diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-12-01 11:48:43 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-12-01 11:48:43 +0100 |
| commit | e239ce326755e476521e35d7cbb680d1358b5883 (patch) | |
| tree | ed76a3c850053285fab752d0b0f16f0e7a66f51b /ishtar_common | |
| parent | 679f1fbd3579d5433f2a85917de3d2a812253c2c (diff) | |
| download | Ishtar-e239ce326755e476521e35d7cbb680d1358b5883.tar.bz2 Ishtar-e239ce326755e476521e35d7cbb680d1358b5883.zip | |
🔒️ fix bandit warnings
Diffstat (limited to 'ishtar_common')
| -rw-r--r-- | ishtar_common/models_imports.py | 3 | ||||
| -rw-r--r-- | ishtar_common/utils_secretary.py | 19 |
2 files changed, 15 insertions, 7 deletions
diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py index 3d8cce882..528201927 100644 --- a/ishtar_common/models_imports.py +++ b/ishtar_common/models_imports.py @@ -2368,7 +2368,8 @@ class Import(BaseImport): if not col_numbers: return last_column = max(col_numbers) - filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv" + # random is not used for cryptographic purpose + filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv" # nosec try: data.to_csv(filename, index=False, columns=data.columns[range(last_column)], diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py index 0ce4732d4..77a2cbc9b 100644 --- a/ishtar_common/utils_secretary.py +++ b/ishtar_common/utils_secretary.py @@ -2,8 +2,9 @@ # -*- coding: utf-8 -*- import re from secretary import Renderer -from lxml import etree -from xml.dom.minidom import parseString +# source files is from admin user this should be safe +from lxml import etree # nosec +from xml.dom.minidom import parseString # nosec from xml.parsers.expat import ExpatError, ErrorString from PIL import Image @@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer): result = jinja_template.render(**kwargs) # try to fix xml with mismatched tags - parser = etree.XMLParser(recover=True) - recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser) - - final_xml = parseString(etree.tostring(recovered_xml)) + # source files is from admin user this should be safe + parser = etree.XMLParser(recover=True) # nosec + recovered_xml = etree.fromstring( + result.encode("ascii", "xmlcharrefreplace"), + parser) + + # source files is from admin user this should be safe + final_xml = parseString( # nosec + etree.tostring(recovered_xml) + ) if self.template_images: self.replace_images(final_xml) |