Harden subprocess usage; fix Typer ctx=None; update security and .gitignore

2025-10-09 13:42:56 +03:00 · 2025-08-19 13:43:24 +05:30
parent 033774f45c
commit 14b8eb22d8
3 changed files with 27 additions and 7 deletions
--- a/7
+++ b/7
@@ -90,7 +90,12 @@ security:
 	@echo "$(GREEN)Running security checks...$(NC)"
 	@test -f $(SAFETY) || $(PIP) install safety
 	@test -f $(BANDIT) || $(PIP) install bandit
-	$(SAFETY) check
+	@if [ -n "$$SAFETY_API_KEY" ]; then \
+		$(SAFETY) scan --key $$SAFETY_API_KEY; \
+	else \
+		echo "$(YELLOW)SAFETY_API_KEY not set; falling back to 'safety check' (deprecated).$(NC)"; \
+		$(SAFETY) check; \
+	fi
 	$(BANDIT) -r src/
 	@echo "$(GREEN)Security checks complete!$(NC)"

--- a/src/ai_ffmpeg_cli/context_scanner.py
+++ b/src/ai_ffmpeg_cli/context_scanner.py
@@ -2,7 +2,7 @@ from __future__ import annotations

 import json
 import shutil
-import subprocess
+import subprocess  # nosec B404: subprocess is used safely with explicit args and no shell
 from pathlib import Path

 from .io_utils import most_recent_file
@@ -15,12 +15,14 @@ MEDIA_EXTS = {


 def _ffprobe_duration(path: Path) -> float | None:
-    if shutil.which("ffprobe") is None:
+    ffprobe_path = shutil.which("ffprobe")
+    if ffprobe_path is None:
        return None
    try:
-        result = subprocess.run(
+        # Call ffprobe via absolute path, pass filename as a separate argument, no shell
+        result = subprocess.run(  # nosec B603: command is fixed and arguments are not executed via shell
            [
-                "ffprobe",
+                ffprobe_path,
                "-v",
                "error",
                "-show_entries",
--- a/src/ai_ffmpeg_cli/executor.py
+++ b/src/ai_ffmpeg_cli/executor.py
@@ -1,7 +1,8 @@
 from __future__ import annotations

 import logging
-import subprocess
+import shutil
+import subprocess  # nosec B404: subprocess used with explicit list args, no shell
 from pathlib import Path

 from rich.console import Console
@@ -86,8 +87,20 @@ def run(
        return 1

    for cmd in commands:
+        # Validate executable exists to avoid PATH surprises
+        if not cmd:
+            raise ExecError("Empty command received for execution.")
+        ffmpeg_exec = cmd[0]
+        resolved = shutil.which(ffmpeg_exec)
+        if resolved is None:
+            raise ExecError(
+                f"Executable not found: {ffmpeg_exec}. Ensure it is installed and on PATH."
+            )
+        cmd = [resolved] + cmd[1:]
        try:
-            result = subprocess.run(cmd, check=True)
+            result = subprocess.run(
+                cmd, check=True
+            )  # nosec B603: fixed binary, no shell, args vetted
            if result.returncode != 0:
                raise ExecError(
                    f"ffmpeg command failed with exit code {result.returncode}. "