kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): resolve Snyk/bandit code analysis findings
Aegis CI / lint-and-test (push) Has been cancelled
Details
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Details
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Details
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Details

Browse Source 
- config.py: move REPORT_OUTPUT_DIR from /tmp (world-writable) to /app/reports
  to prevent CWE-377 symlink attack vector (B108, only real security issue)
- main.py: log startup seed failures instead of silently swallowing them (B110)
- Add # nosec annotations to intentional try/except patterns that are by design:
  Jira integration errors, email failures, DetachedInstanceError, storage errors,
  and Jira session timeout (all B110/B112 false positives)
- Add # nosec B105 to false positives where bandit misidentifies config key
  names and masking strings as hardcoded passwords
- Add .bandit config to skip B311 in seed_demo.py (random used for fake
  demo data generation, not cryptographic purposes)
This commit is contained in:
kitos
2026-06-12 12:59:11 +02:00
parent 709a810775
commit 6d3617938e
10 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/admin_config.py
+1 -1
View File
@@ -149,7 +149,7 @@ def export_config(
"email": u.email if hasattr(u, "email") else None,
"role": u.role,
"is_active": u.is_active,
"must_change_password": True, # force password reset on new instance
"must_change_password": True, # force password reset on new instance # nosec B105
}
for u in db.query(User).order_by(User.username).all()
]
backend/app/routers/system.py
+2 -2
View File
@@ -72,7 +72,7 @@ _SMTP_KEYS = {
"host": "smtp.host",
"port": "smtp.port",
"username": "smtp.username",
"password": "smtp.password",
"password": "smtp.password", # nosec B105
"from_email": "smtp.from_email",
"use_tls": "smtp.use_tls",
}
@@ -355,7 +355,7 @@ def test_jira_connection(
# 10-second timeout so we never block Cloudflare into a 524
try:
jira._session.timeout = 10 # type: ignore[attr-defined]
except Exception:
except Exception: # nosec B110
pass
myself = jira.myself()
logger.info("Jira myself() response keys: %s", list(myself.keys()) if isinstance(myself, dict) else type(myself))
backend/app/routers/tests.py
+5 -5
View File
@@ -281,7 +281,7 @@ def create_test(
from app.services.jira_service import auto_create_test_issue
auto_create_test_issue(db, test, current_user)
db.commit()
except Exception:
except Exception: # nosec B110
pass # jira_service already logs warnings internally
return test
@@ -374,8 +374,8 @@ def create_test_from_template(
from app.services.jira_service import auto_create_test_issue
auto_create_test_issue(db, test, current_user)
db.commit()
except Exception:
pass
except Exception: # nosec B110
pass # jira_service already logs warnings internally
return test
@@ -1485,7 +1485,7 @@ def import_rt(
continue
try:
img_bytes = base64.b64decode(ev.data)
except Exception:
except Exception: # nosec B112
continue # malformed base64 — skip
if len(img_bytes) > _MAX_EVIDENCE_BYTES:
continue # over size limit — skip
@@ -1493,7 +1493,7 @@ def import_rt(
key = f"{test.id}/{uuid.uuid4()}_{safe_name}"
try:
upload_file(img_bytes, key)
except Exception:
except Exception: # nosec B112
continue # storage error — skip but don't abort
evidence_obj = Evidence(
test_id=test.id,
backend/app/routers/webhooks.py
+1 -1
View File
@@ -36,7 +36,7 @@ def _mask_secret(wh) -> WebhookConfigOut:
"""Return a WebhookConfigOut with the secret masked."""
out = WebhookConfigOut.model_validate(wh)
if wh.secret:
out.secret = "***"
out.secret = "***" # nosec B105
else:
out.secret = None
return out