fix: resolve all ruff and bandit lint/security issues

- Remove unused Optional import (F401) in telemetry.py - Move imports above module-level code (E402) in web/db/models.py - Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104) - Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324) - Annotate intentional try/except/pass blocks with nosec (B110) - Remove stale nosec comments that no longer suppress anything
2026-04-16 01:04:57 -04:00
parent 70d8ffc607
commit 29578d9d99
12 changed files with 27 additions and 26 deletions
--- a/decnet/sniffer/fingerprint.py
+++ b/decnet/sniffer/fingerprint.py
@@ -513,7 +513,7 @@ def _extract_sans(cert_der: bytes, pos: int, end: int) -> list[str]:
            else:
                _, skip_start, skip_len = _der_read_tag_len(cert_der, pos)
                pos = skip_start + skip_len
-    except Exception:
+    except Exception:  # nosec B110 — DER parse errors return partial results
        pass
    return sans

@@ -533,7 +533,7 @@ def _parse_san_sequence(data: bytes, start: int, length: int) -> list[str]:
            elif context_tag == 7 and val_len == 4:
                names.append(".".join(str(b) for b in data[val_start: val_start + val_len]))
            pos = val_start + val_len
-    except Exception:
+    except Exception:  # nosec B110 — SAN parse errors return partial results
        pass
    return names

@@ -561,7 +561,7 @@ def _ja3(ch: dict[str, Any]) -> tuple[str, str]:
        "-".join(str(p) for p in ch["ec_point_formats"]),
    ]
    ja3_str = ",".join(parts)
-    return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()  # nosec B324
+    return ja3_str, hashlib.md5(ja3_str.encode(), usedforsecurity=False).hexdigest()


@_traced("sniffer.ja3s")
@@ -572,7 +572,7 @@ def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
        "-".join(str(e) for e in sh["extensions"]),
    ]
    ja3s_str = ",".join(parts)
-    return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()  # nosec B324
+    return ja3s_str, hashlib.md5(ja3s_str.encode(), usedforsecurity=False).hexdigest()


 # ─── JA4 / JA4S ─────────────────────────────────────────────────────────────
--- a/decnet/sniffer/worker.py
+++ b/decnet/sniffer/worker.py
@@ -12,7 +12,7 @@ The API never depends on this worker being alive.

 import asyncio
 import os
-import subprocess
+import subprocess  # nosec B404 — needed for interface checks
 import threading
 from concurrent.futures import ThreadPoolExecutor
 from pathlib import Path
@@ -44,7 +44,7 @@ def _load_ip_to_decky() -> dict[str, str]:
 def _interface_exists(iface: str) -> bool:
    """Check if a network interface exists on this host."""
    try:
-        result = subprocess.run(
+        result = subprocess.run(  # nosec B603 B607 — hardcoded args
            ["ip", "link", "show", iface],
            capture_output=True, text=True, check=False,
        )