4 files changed, 22 insertions, 12 deletions
diff --git a/archaeological_finds/models_treatments.py b/archaeological_finds/models_treatments.py
index 69f0d9d69..ebe842ac7 100644
--- a/archaeological_finds/models_treatments.py
+++ b/archaeological_finds/models_treatments.py
@@ -18,8 +18,9 @@
 # See the file COPYING for details.
 
 import datetime
-import lxml.etree
-import lxml.builder
+# nosec: used to build a controlled XML
+import lxml.etree  # nosec
+import lxml.builder  # nosec
 import os
 import shutil
 import tempfile
diff --git a/archaeological_finds/tests.py b/archaeological_finds/tests.py
index 26e9b6dc5..f105093fd 100644
--- a/archaeological_finds/tests.py
+++ b/archaeological_finds/tests.py
@@ -2066,7 +2066,8 @@ class FindPermissionTest(FindInit, TestPermissionQuery, TestCase):
         username, password, user = create_superuser()
         self.users["superuser"] = (username, password, user)
 
-        upstream_username, upstream_password, upstream_user = create_user(
+        # nosec: hard coded password for test purposes
+        upstream_username, upstream_password, upstream_user = create_user(  # nosec
             username="up", password="up"
         )
         UserProfile.objects.create(
@@ -2121,8 +2122,8 @@ class FindPermissionTest(FindInit, TestPermissionQuery, TestCase):
         self.operations[-1].context_record.all()[0].ishtar_users.add(
             upstream_user.ishtaruser
         )
-
-        associated_username, associated_password, associated_user = create_user(
+        # nosec: hard coded password for test purposes
+        associated_username, associated_password, associated_user = create_user(  # nosec
             username="as", password="as"
         )
         UserProfile.objects.create(
diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py
index 3d8cce882..528201927 100644
--- a/ishtar_common/models_imports.py
+++ b/ishtar_common/models_imports.py
@@ -2368,7 +2368,8 @@ class Import(BaseImport):
         if not col_numbers:
             return
         last_column = max(col_numbers)
-        filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv"
+        # random is not used for cryptographic purpose
+        filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv"  # nosec
 
         try:
             data.to_csv(filename, index=False, columns=data.columns[range(last_column)],
diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py
index 0ce4732d4..77a2cbc9b 100644
--- a/ishtar_common/utils_secretary.py
+++ b/ishtar_common/utils_secretary.py
@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 import re
 from secretary import Renderer
-from lxml import etree
-from xml.dom.minidom import parseString
+# source files is from admin user this should be safe
+from lxml import etree  # nosec
+from xml.dom.minidom import parseString  # nosec
 from xml.parsers.expat import ExpatError, ErrorString
 from PIL import Image
 
@@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer):
             result = jinja_template.render(**kwargs)
 
             # try to fix xml with mismatched tags
-            parser = etree.XMLParser(recover=True)
-            recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser)
-
-            final_xml = parseString(etree.tostring(recovered_xml))
+            # source files is from admin user this should be safe
+            parser = etree.XMLParser(recover=True)  # nosec
+            recovered_xml = etree.fromstring(
+                result.encode("ascii", "xmlcharrefreplace"),
+                parser)
+
+            # source files is from admin user this should be safe
+            final_xml = parseString(  # nosec
+                etree.tostring(recovered_xml)
+            )
 
             if self.template_images:
                 self.replace_images(final_xml)