Deep-Live-Cam icon indicating copy to clipboard operation
Deep-Live-Cam copied to clipboard

Published 20 hours ago verified publisher icon hacksider

Updated modules/processors/frame/core.py to fix security vulnerability [python.lang.security.audit.non-literal-import.non-literal-import]

Open kira-offgrid opened this issue 6 months ago • 2 comments

Context and Purpose:

        This PR automatically remediates a security vulnerability:
        - **Description:** Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.
        - **Rule ID:** python.lang.security.audit.non-literal-import.non-literal-import
        - **Severity:** MEDIUM
        - **File:** modules/processors/frame/core.py
        - **Lines Affected:** 23 - 23

        This change is necessary to protect the application from potential security risks associated with this vulnerability.

        **Solution Implemented:**

        The automated remediation process has applied the necessary changes to the affected code in `modules/processors/frame/core.py` to resolve the identified issue.

        Please review the changes to ensure they are correct and integrate as expected.

Summary by Sourcery

Mitigate a security vulnerability in dynamic module imports by enforcing a whitelist and replacing direct importlib calls with a safe import wrapper

Bug Fixes:

  • Prevent arbitrary code loading via importlib.import_module by enforcing a whitelist for frame processor modules

Enhancements:

  • Add ALLOWED_MODULES whitelist and safe_import_module function with logging for unauthorized import attempts
  • Replace importlib.import_module usage in load_frame_processor_module with safe_import_module to enforce validation

kira-offgrid avatar May 16 '25 04:05 kira-offgrid

Reviewer's Guide

This PR secures dynamic imports in modules/processors/frame/core.py by introducing a whitelist-driven safe_import_module function and replacing direct importlib.import_module calls with it; reviewers should also flag and consolidate redundant definitions.

File-Level Changes

Change Details Files
Introduced whitelist-based safe dynamic import mechanism
  • Imported typing Set and Optional
  • Defined ALLOWED_MODULES set
  • Implemented safe_import_module with whitelist check and warning log
 modules/processors/frame/core.py
Replaced dynamic import usage with safe_import_module
  • Changed importlib.import_module call to safe_import_module in load_frame_processor_module
 modules/processors/frame/core.py
Duplicated safe_import_module and whitelist definitions
  • Multiple identical blocks of ALLOWED_MODULES and safe_import_module were inserted
  • Suggest consolidating to a single definition
 modules/processors/frame/core.py
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an issue from a review comment by replying to it. You can also reply to a review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in the pull request body to generate a PR summary at any time exactly where you want it. You can also comment @sourcery-ai summary on the pull request to (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the pull request to resolve all Sourcery comments. Useful if you've already addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull request to dismiss all existing Sourcery reviews. Especially useful if you want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

  • Contact our support team for questions or feedback.
  • Visit our documentation for detailed guides and information.
  • Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai[bot] avatar May 16 '25 04:05 sourcery-ai[bot]