From e239ce326755e476521e35d7cbb680d1358b5883 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Mon, 1 Dec 2025 11:48:43 +0100
Subject: 🔒️ fix bandit warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/models_imports.py  |  3 ++-
 ishtar_common/utils_secretary.py | 19 +++++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

(limited to 'ishtar_common')

diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py
index 3d8cce882..528201927 100644
--- a/ishtar_common/models_imports.py
+++ b/ishtar_common/models_imports.py
@@ -2368,7 +2368,8 @@ class Import(BaseImport):
         if not col_numbers:
             return
         last_column = max(col_numbers)
-        filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv"
+        # random is not used for cryptographic purpose
+        filename = ".".join(imported_file_path.split('.')[:-1]) + f"-{random.randint(1, 10000):05d}.csv"  # nosec
 
         try:
             data.to_csv(filename, index=False, columns=data.columns[range(last_column)],
diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py
index 0ce4732d4..77a2cbc9b 100644
--- a/ishtar_common/utils_secretary.py
+++ b/ishtar_common/utils_secretary.py
@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 import re
 from secretary import Renderer
-from lxml import etree
-from xml.dom.minidom import parseString
+# source files is from admin user this should be safe
+from lxml import etree  # nosec
+from xml.dom.minidom import parseString  # nosec
 from xml.parsers.expat import ExpatError, ErrorString
 from PIL import Image
 
@@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer):
             result = jinja_template.render(**kwargs)
 
             # try to fix xml with mismatched tags
-            parser = etree.XMLParser(recover=True)
-            recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser)
-
-            final_xml = parseString(etree.tostring(recovered_xml))
+            # source files is from admin user this should be safe
+            parser = etree.XMLParser(recover=True)  # nosec
+            recovered_xml = etree.fromstring(
+                result.encode("ascii", "xmlcharrefreplace"),
+                parser)
+
+            # source files is from admin user this should be safe
+            final_xml = parseString(  # nosec
+                etree.tostring(recovered_xml)
+            )
 
             if self.template_images:
                 self.replace_images(final_xml)
-- 
cgit v1.2.3