From 843f23f4cbf169db196d71530ee36ee36f9dc748 Mon Sep 17 00:00:00 2001 From: Rodrigo Toshiaki Horie Date: Thu, 25 Jun 2026 10:08:54 -0300 Subject: [PATCH] Fix SonarCloud security rating: remove user-controlled data from sqlite filepath (#16516) * Fix SonarCloud security rating by removing user-controlled data from sqlite filepath Replace os.path.basename(sys.argv[0]) with a hardcoded 'unknown' fallback in RecordedQueryLog.write() to eliminate path injection via CLI arguments. This resolves SonarCloud rule pythonsecurity:S8706 and helps restore the AWX security rating from C to A. Closes: AAP-80006 Co-Authored-By: Claude Opus 4.6 (1M context) * Remove unused sys import from test_db.py Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Claude Opus 4.6 (1M context) --- awx/main/db/profiled_pg/base.py | 2 +- awx/main/tests/unit/test_db.py | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/awx/main/db/profiled_pg/base.py b/awx/main/db/profiled_pg/base.py index da49f290fb..54aae49080 100644 --- a/awx/main/db/profiled_pg/base.py +++ b/awx/main/db/profiled_pg/base.py @@ -68,7 +68,7 @@ class RecordedQueryLog(object): progname = match break else: - progname = os.path.basename(sys.argv[0]) + progname = 'unknown' filepath = os.path.join(self.dest, '{}.sqlite'.format(progname)) version = _get_version('awx') log = sqlite3.connect(filepath, timeout=3) diff --git a/awx/main/tests/unit/test_db.py b/awx/main/tests/unit/test_db.py index dc40ea77f3..4e620d802c 100644 --- a/awx/main/tests/unit/test_db.py +++ b/awx/main/tests/unit/test_db.py @@ -1,7 +1,6 @@ import collections import os import sqlite3 -import sys import unittest import pytest @@ -125,7 +124,7 @@ def test_sql_above_threshold(tmpdir): args, kw = _call assert args == ('EXPLAIN VERBOSE {}'.format(QUERY['sql']),) - path = os.path.join(tmpdir, '{}.sqlite'.format(os.path.basename(sys.argv[0]))) + path = os.path.join(tmpdir, 'unknown.sqlite') assert os.path.exists(path) # verify the results