PatchWork AutoFix

[patched-admin]

This pull request from patched fixes 6 issues.

---

• File changed: patchwork/common/tools/csvkit_tool.py
  Use parameterized queries to prevent SQL Injection.

  Replaced the formatted SQL queries with parameterized queries using the execute method to prevent SQL injection vulnerabilities.

• File changed: patchwork/common/utils/step_typing.py
  Add module path whitelist to secure importlib.import_module usage

  Implemented a whitelist that restricts dynamic module imports via importlib.import_module to only allow pre-approved module paths, thus preventing potentially malicious imports.

• File changed: patchwork/app.py
  Restrict dynamic module imports to a predefined whitelist

  Implemented a whitelist approach to ensure that only modules from a predefined list can be imported dynamically, mitigating risks associated with arbitrary code execution.

• File changed: patchwork/common/tools/bash_tool.py
  Remove shell=True from subprocess.run for security enhancement

  Modified the subprocess.run call to use shell=False for increased security. Updated the command to be passed as a list, as required when shell=False.

• File changed: patchwork/steps/CallShell/CallShell.py
  Remove shell=True from subprocess.run for security

  The subprocess.run invocation was modified to use shell=False and the command is now split into a list of arguments using shlex.split to avoid command injection vulnerabilities.

• File changed: patchwork/common/utils/dependency.py
  Implement whitelist for modules to prevent arbitrary code execution

  Added a whitelist mechanism to restrict module importation to a predefined set of trusted modules to prevent the execution of arbitrary code.