From 367059ddef14a495e277f68ceaf3455c092f839d Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Tue, 11 Apr 2023 12:27:23 +0200
Subject: bandit checker: mark false security issues - fix security issues (low
 severity)

---
 ishtar_common/models.py | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

(limited to 'ishtar_common/models.py')

diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index f7baebfe4..ba317998f 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -36,7 +36,9 @@ import string
 import tempfile
 import time
 from io import BytesIO
-from subprocess import Popen, PIPE
+# nosec: only script inside the script directory can be executed
+# script directory is not web available
+from subprocess import Popen, PIPE  # nosec
 from PIL import Image
 from markdown import markdown
 from ooopy.OOoPy import OOoPy
@@ -45,7 +47,8 @@ import ooopy.Transforms as OOTransforms
 import uuid
 import zipfile
 from urllib.parse import urlencode
-from xml.etree import ElementTree as ET
+# nosec: ElementTree used to create XML not for parsing
+from xml.etree import ElementTree as ET  # nosec
 
 from django.apps import apps
 from django.conf import settings
@@ -408,9 +411,7 @@ def is_unique(cls, field):
     # unique validator for models
     def func(value):
         query = {field: value}
-        try:
-            assert cls.objects.filter(**query).count() == 0
-        except AssertionError:
+        if cls.objects.filter(**query).count() != 0:
             raise ValidationError(_("This item already exists."))
 
     return func
@@ -922,9 +923,8 @@ class RelationsViews(models.Model):
         Check view or table properly created with settings on the profile
         :return: True if table or view updated
         """
-        assert cls.CREATE_SQL
-        assert cls.DELETE_SQL
-        assert cls.CREATE_TABLE_SQL
+        if not cls.CREATE_SQL or not cls.DELETE_SQL or not cls.CREATE_TABLE_SQL:
+            raise NotImplementedError("CREATE_SQL or DELETE_SQL or CREATE_TABLE_SQL is missing.")
         profile = get_current_profile(force=True)
         table_type = ""
         with connection.cursor() as cursor:
@@ -2456,7 +2456,8 @@ def documentation_get_gender_values():
 class BaseGenderedType(ValueGetter):
     def get_values(self, prefix="", **kwargs):
         dct = super(BaseGenderedType, self).get_values(prefix=prefix, **kwargs)
-        assert hasattr(self, "grammatical_gender")
+        if not hasattr(self, "grammatical_gender"):
+            raise NotImplementedError("This model should have a grammatical_gender field")
         dct[prefix + "grammatical_gender"] = self.grammatical_gender
         return dct
 
@@ -5144,6 +5145,7 @@ class AdministrationTask(models.Model):
 
         script_name = None
         # only script inside the script directory can be executed
+        # script directory is not web available
         for name in os.listdir(script_dir):
             if name == self.script.path:
                 if os.path.isfile(os.path.join(script_dir, name)):
@@ -5165,7 +5167,9 @@ class AdministrationTask(models.Model):
 
         self.finished_date = datetime.datetime.now()
         try:
-            session = Popen([script_name], stdout=PIPE, stderr=PIPE)
+            # nosec: only script inside the script directory can be executed
+            # this script directory is not web available
+            session = Popen([script_name], stdout=PIPE, stderr=PIPE)  # nosec
             stdout, stderr = session.communicate()
         except OSError as e:
             self.state = "FE"
-- 
cgit v1.2.3