Fix SonarCloud security rating: remove user-controlled data from sqlite filepath (#16516)

* Fix SonarCloud security rating by removing user-controlled data from sqlite filepath Replace os.path.basename(sys.argv[0]) with a hardcoded 'unknown' fallback in RecordedQueryLog.write() to eliminate path injection via CLI arguments. This resolves SonarCloud rule pythonsecurity:S8706 and helps restore the AWX security rating from C to A. Closes: AAP-80006 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove unused sys import from test_db.py Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-27 01:18:02 -02:30 · 2026-06-25 10:08:54 -03:00
parent 6d665dda33
commit 843f23f4cb
2 changed files with 2 additions and 3 deletions
--- a/awx/main/db/profiled_pg/base.py
+++ b/awx/main/db/profiled_pg/base.py
@@ -68,7 +68,7 @@ class RecordedQueryLog(object):
                    progname = match
                    break
            else:
-                progname = os.path.basename(sys.argv[0])
+                progname = 'unknown'
            filepath = os.path.join(self.dest, '{}.sqlite'.format(progname))
            version = _get_version('awx')
            log = sqlite3.connect(filepath, timeout=3)
--- a/awx/main/tests/unit/test_db.py
+++ b/awx/main/tests/unit/test_db.py
@@ -1,7 +1,6 @@
 import collections
 import os
 import sqlite3
 import sys
 import unittest
 import pytest
@@ -125,7 +124,7 @@ def test_sql_above_threshold(tmpdir):
        args, kw = _call
        assert args == ('EXPLAIN VERBOSE {}'.format(QUERY['sql']),)
-    path = os.path.join(tmpdir, '{}.sqlite'.format(os.path.basename(sys.argv[0])))
+    path = os.path.join(tmpdir, 'unknown.sqlite')
    assert os.path.exists(path)
    # verify the results