patchwork
patchwork copied to clipboard
Published
20 hours ago •
patched-codes
patched-codes
PatchWork AutoFix
This pull request from patched fixes 6 issues.
- File changed: patchwork/common/tools/csvkit_tool.py
Use parameterized queries to prevent SQL injection
The code has been modified to use parameterized queries in place of formatted strings for executing SQL statements. This change mitigates the risk of SQL injection by using safer query execution methods provided by sqlite3.
- File changed: patchwork/common/utils/step_typing.py
Implement whitelist for dynamic module imports for validate_step_with_inputs function.
Implemented a whitelist mechanism to restrict dynamic module imports in thevalidate_step_with_inputsfunction to only trusted modules. This prevents loading of arbitrary code by restricting theimportlib.import_modulecall to predefined module paths.
- File changed: patchwork/app.py
Fix untrusted input vulnerability in importlib.import_module
Implemented a whitelist for allowable module paths to ensure importlib.import_module() only loads trusted modules, mitigating the risk of arbitrary code execution.
- File changed: patchwork/common/tools/bash_tool.py
Fix security vulnerability by removing shell=True in subprocess.run
Removed theshell=Trueargument in thesubprocess.runcall and modified it to pass the command as a list, which prevents shell injection vulnerabilities.
- File changed: patchwork/common/utils/dependency.py
Implement whitelist for import statements to prevent execution of arbitrary modules
Introduced a whitelist mechanism to theimport_with_dependency_groupfunction, ensuring that only modules listed in the__DEPENDENCY_GROUPSdictionary can be dynamically imported, preventing execution of arbitrary and potentially harmful modules.
- File changed: patchwork/steps/CallShell/CallShell.py
Remove usage of 'shell=True' in subprocess.run to prevent shell injection vulnerability
Replacedshell=Truewithshell=Falseinsubprocess.run, and utilizedshlex.splitto properly construct the command list, preventing potential shell injection vulnerabilities.
