anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: resolve all ruff and bandit lint/security issues

Browse Source 
- Remove unused Optional import (F401) in telemetry.py
- Move imports above module-level code (E402) in web/db/models.py
- Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104)
- Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324)
- Annotate intentional try/except/pass blocks with nosec (B110)
- Remove stale nosec comments that no longer suppress anything
This commit is contained in:
anti
2026-04-16 01:04:57 -04:00
parent 70d8ffc607
commit 29578d9d99
12 changed files with 27 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
decnet/web/db/models.py
View File

@@ -3,14 +3,14 @@ from typing import Literal, Optional, Any, List, Annotated
from sqlalchemy import Column, Text
from sqlalchemy.dialects.mysql import MEDIUMTEXT
from sqlmodel import SQLModel, Field
from pydantic import BaseModel, ConfigDict, Field as PydanticField, BeforeValidator
from decnet.models import IniContent
# Use on columns that accumulate over an attacker's lifetime (commands,
# fingerprints, state blobs). TEXT on MySQL caps at 64 KiB; MEDIUMTEXT
# stretches to 16 MiB. SQLite has no fixed-width text types so Text()
# stays unchanged there.
_BIG_TEXT = Text().with_variant(MEDIUMTEXT(), "mysql")
from pydantic import BaseModel, ConfigDict, Field as PydanticField, BeforeValidator
from decnet.models import IniContent
def _normalize_null(v: Any) -> Any:
if isinstance(v, str) and v.lower() in ("null", "undefined", ""):

2
decnet/web/router/auth/api_login.py
View File

@@ -42,6 +42,6 @@ async def login(request: LoginRequest) -> dict[str, Any]:
)
return {
"access_token": _access_token,
"token_type": "bearer", # nosec B105
"token_type": "bearer", # nosec B105 — OAuth2 token type, not a password
"must_change_password": bool(_user.get("must_change_password", False))
}

2
decnet/web/router/config/api_manage_users.py
View File

@@ -40,7 +40,7 @@ async def api_create_user(
"username": req.username,
"password_hash": get_password_hash(req.password),
"role": req.role,
"must_change_password": True,
"must_change_password": True, # nosec B105 — not a password
})
return UserResponse(
uuid=user_uuid,