From a2913f8b9c8a3d461595a2a6f88d4f62a339f95d Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Fri, 26 Aug 2022 16:04:30 +0000
Subject: [PATCH] Fix static-scan findings

---
 app/asset_fingerprinter.py                    |  2 +-
 .../create-broadcast-areas-db.py              | 13 +++++----
 app/broadcast_areas/repo.py                   | 29 +++++++++----------
 app/config.py                                 |  2 +-
 app/main/views/api_keys.py                    |  2 +-
 app/main/views/user_profile.py                |  2 +-
 6 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/app/asset_fingerprinter.py b/app/asset_fingerprinter.py
index c6fa3859c..fc4b60ad1 100644
--- a/app/asset_fingerprinter.py
+++ b/app/asset_fingerprinter.py
@@ -37,7 +37,7 @@ class AssetFingerprinter(object):
         return self._cache[asset_path]
 
     def get_asset_fingerprint(self, asset_file_path):
-        return hashlib.md5(
+        return hashlib.md5(  # nosec B324 - hash value is not verified, so md5 is fine
             self.get_asset_file_contents(asset_file_path)
         ).hexdigest()
 
diff --git a/app/broadcast_areas/create-broadcast-areas-db.py b/app/broadcast_areas/create-broadcast-areas-db.py
index 9e5cccbc0..796d93c89 100755
--- a/app/broadcast_areas/create-broadcast-areas-db.py
+++ b/app/broadcast_areas/create-broadcast-areas-db.py
@@ -1,10 +1,10 @@
 #!/usr/bin/env python
 
 import csv
-import pickle
 import sys
 from math import isclose
 from pathlib import Path
+from pickle import dumps  # nosec B403
 
 import geojson
 from notifications_utils.formatters import formatted_list
@@ -104,8 +104,10 @@ def clean_up_invalid_polygons(polygons, indent="    "):
 
             # Make sure the polygon is now valid, and that we haven’t
             # drastically transformed the polygon by ‘fixing’ it
-            assert fixed_polygon.is_valid
-            assert isclose(fixed_polygon.area, shapely_polygon.area, rel_tol=0.001)
+            if not fixed_polygon.is_valid:
+                raise RuntimeError("Fixed polygon is no longer valid")
+            if not isclose(fixed_polygon.area, shapely_polygon.area, rel_tol=0.001):
+                raise RuntimeError("Fixed polygon moved too much")
 
             print(  # noqa: T201
                 f"{indent}Polygon {index + 1}/{len(polygons)} fixed!"
@@ -158,7 +160,8 @@ def polygons_and_simplified_polygons(feature):
     # Check that the simplification process hasn’t introduced bad data
     for dataset in output:
         for polygon in dataset:
-            assert Polygon(polygon).is_valid
+            if not Polygon(polygon).is_valid:
+                raise RuntimeError('Simplification process introduced bad data')
 
     return output + [simplified.utm_crs]
 
@@ -360,7 +363,7 @@ def _add_electoral_wards(dataset_id):
         except KeyError:
             print("Skipping", ward_code, ward_name)  # noqa: T201
 
-    rtree_index_path.open('wb').write(pickle.dumps(rtree_index))
+    rtree_index_path.open('wb').write(dumps(rtree_index))
     repo.insert_broadcast_areas(areas_to_add, keep_old_polygons)
 
 
diff --git a/app/broadcast_areas/repo.py b/app/broadcast_areas/repo.py
index 155004805..a8ccf9b85 100644
--- a/app/broadcast_areas/repo.py
+++ b/app/broadcast_areas/repo.py
@@ -1,11 +1,11 @@
-import json
 import os
-import pickle
+import pickle  # nosec B403 - loads only used with trusted input
 import sqlite3
+from json import dumps, loads
 from pathlib import Path
 
 rtree_index_path = Path(__file__).parent / 'rtree.pickle'
-rtree_index = pickle.loads(rtree_index_path.read_bytes())
+rtree_index = pickle.loads(rtree_index_path.read_bytes())  # nosec B301 - trusted input
 
 
 class BroadcastAreasRepository(object):
@@ -111,7 +111,7 @@ class BroadcastAreasRepository(object):
                 ))
                 if not keep_old_features:
                     conn.execute(features_q, (
-                        id, json.dumps(polygons), json.dumps(simple_polygons), utm_crs
+                        id, dumps(polygons), dumps(simple_polygons), utm_crs
                     ))
 
     def query(self, sql, *args):
@@ -127,13 +127,10 @@ class BroadcastAreasRepository(object):
         return sorted(libraries)
 
     def get_areas(self, area_ids):
-        q = """
-        SELECT id, name, count_of_phones, broadcast_area_library_id
-        FROM broadcast_areas
-        WHERE id IN ({})
-        """.format(",".join("?" * len(area_ids)))
+        q = "SELECT id, name, count_of_phones, broadcast_area_library_id FROM broadcast_areas"
+        where = "WHERE id IN ({})".format(",".join("?" * len(area_ids)))
 
-        results = self.query(q, *area_ids)
+        results = self.query(F"{q} {where}", *area_ids)
 
         areas = [
             (row[0], row[1], row[2], row[3])
@@ -147,13 +144,13 @@ class BroadcastAreasRepository(object):
         SELECT broadcast_areas.id, name, count_of_phones, broadcast_area_library_id, simple_polygons, utm_crs
         FROM broadcast_areas
         JOIN broadcast_area_polygons on broadcast_area_polygons.id = broadcast_areas.id
-        WHERE broadcast_areas.id IN ({})
-        """.format(",".join("?" * len(area_ids)))
+        """
+        where = "WHERE broadcast_areas.id IN ({})".format(",".join("?" * len(area_ids)))
 
-        results = self.query(q, *area_ids)
+        results = self.query(F"{q} {where}", *area_ids)
 
         areas = [
-            (row[0], row[1], row[2], row[3], json.loads(row[4]), row[5])
+            (row[0], row[1], row[2], row[3], loads(row[4]), row[5])
             for row in results
         ]
 
@@ -239,7 +236,7 @@ class BroadcastAreasRepository(object):
 
         results = self.query(q, area_id)
 
-        return json.loads(results[0][0]), results[0][1]
+        return loads(results[0][0]), results[0][1]
 
     def get_simple_polygons_for_area(self, area_id):
         q = """
@@ -250,4 +247,4 @@ class BroadcastAreasRepository(object):
 
         results = self.query(q, area_id)
 
-        return json.loads(results[0][0]), results[0][1]
+        return loads(results[0][0]), results[0][1]
diff --git a/app/config.py b/app/config.py
index 5ce588a8e..970aaa61b 100644
--- a/app/config.py
+++ b/app/config.py
@@ -120,7 +120,7 @@ class Development(Config):
     # check for local compose orchestration variable
     API_HOST_NAME = os.environ.get('DEV_API_HOST_NAME', 'http://dev:6011')
     DANGEROUS_SALT = 'dev-notify-salt'
-    SECRET_KEY = 'dev-notify-secret-key'
+    SECRET_KEY = 'dev-notify-secret-key'  # nosec B105 - only used in development
     ANTIVIRUS_API_HOST = 'http://localhost:6016'
     ANTIVIRUS_API_KEY = 'test-key'
     ANTIVIRUS_ENABLED = os.environ.get('ANTIVIRUS_ENABLED') == '1'
diff --git a/app/main/views/api_keys.py b/app/main/views/api_keys.py
index 37fffb720..0c1c4daff 100644
--- a/app/main/views/api_keys.py
+++ b/app/main/views/api_keys.py
@@ -25,7 +25,7 @@ from app.notify_client.api_key_api_client import (
 )
 from app.utils.user import user_has_permissions
 
-dummy_bearer_token = 'bearer_token_set'
+dummy_bearer_token = 'bearer_token_set'  # nosec B105 - this is not a real token
 
 
 @main.route("/services/<uuid:service_id>/api")
diff --git a/app/main/views/user_profile.py b/app/main/views/user_profile.py
index ad744a313..42c538024 100644
--- a/app/main/views/user_profile.py
+++ b/app/main/views/user_profile.py
@@ -31,7 +31,7 @@ from app.utils.user import user_is_gov_user, user_is_logged_in
 
 NEW_EMAIL = 'new-email'
 NEW_MOBILE = 'new-mob'
-NEW_MOBILE_PASSWORD_CONFIRMED = 'new-mob-password-confirmed'
+NEW_MOBILE_PASSWORD_CONFIRMED = 'new-mob-password-confirmed'  # nosec B105 - this is not a password
 
 
 @main.route("/user-profile")