Fix security problems for bandit (#270)

CHANGES.rst

@@ -4,7 +4,8 @@ Changelog
 6.2.14 (unreleased)
 -------------------
 
-- Nothing changed yet.
+- Fix security problems for bandit.
+  [cekk]
 
 
 6.2.13 (2024-07-08)

src/design/plone/contenttypes/restapi/serializers/punto_di_contatto.py

@@ -63,8 +63,8 @@ def related_contents(self, field, portal_type):
         for rel in relations:
             try:
                 obj = intids.queryObject(rel.from_id)
-            except:  # noqa
-                continue
+            except Exception:
+                obj = None
             if (
                 obj is not None
                 and checkPermission("zope2.View", obj)

src/design/plone/contenttypes/restapi/services/scadenziario/post.py

@@ -64,7 +64,7 @@ def expand_events(
 
         """
 
-        assert ret_mode is not RET_MODE_BRAINS
+        assert ret_mode is not RET_MODE_BRAINS  # nosec
 
         exp_result = []
         for it in events:

src/design/plone/contenttypes/restapi/services/types/get.py

@@ -9,6 +9,8 @@
 from zope.interface import implementer
 from zope.publisher.interfaces import IPublishTraverse
 
+import ast
+
 
 class FieldsetsMismatchError(Exception):
     """Exception thrown when we try to reorder fieldsets, but the order list is
@@ -208,7 +210,7 @@ def customize_venue_schema(self, result):
 
             if "geolocation" in result["properties"]:
                 if not result["properties"]["geolocation"].get("default", {}):
-                    result["properties"]["geolocation"]["default"] = eval(
+                    result["properties"]["geolocation"]["default"] = ast.literal_eval(
                         api.portal.get_registry_record(
                             "geolocation", interface=IGeolocationDefaults
                         )

src/design/plone/contenttypes/upgrades/upgrades.py

@@ -464,7 +464,8 @@ def to_3000(context):
                 json.dumps({"it": value}),
                 interface=IDesignPloneSettings,
             )
-        except Exception:
+        except Exception:  # nosec
+            # do not do anything
             continue
 
     context.runAllImportStepsFromProfile("profile-design.plone.contenttypes:to_3000")

src/design/plone/contenttypes/vocabularies/argomenti_vocabulary.py

@@ -15,7 +15,9 @@ def __call__(self, context):
             [x.Title for x in api.content.find(portal_type="Pagina Argomento")]
         )
         values = sorted(list(values))
-        terms = [SimpleTerm(value="", token="", title="-- seleziona un valore --")]
+        terms = [
+            SimpleTerm(value="", token="", title="-- seleziona un valore --")  # nosec
+        ]  # nosec
         for value in values:
             terms.append(SimpleTerm(value=value, token=value, title=value))
 
@@ -30,7 +32,9 @@ def __call__(self, context):
         arguments = api.content.find(
             portal_type="Pagina Argomento", sort_on="sortable_title"
         )
-        terms = [SimpleTerm(value="", token="", title="-- seleziona un valore --")]
+        terms = [
+            SimpleTerm(value="", token="", title="-- seleziona un valore --")  # nosec
+        ]  # nosec
         for x in arguments:
             terms.append(SimpleTerm(value=x.UID, token=x.UID, title=x.Title))
 

src/design/plone/contenttypes/vocabularies/controlapanel_vocabularies.py

@@ -22,7 +22,7 @@ def __call__(self, context):
         terms = [SimpleTerm(value=x, token=x, title=x) for x in values]
         terms.insert(
             0,
-            SimpleTerm(value="", token="", title="-- seleziona un valore --"),
+            SimpleTerm(value="", token="", title="-- seleziona un valore --"),  # nosec
         )
 
         return SimpleVocabulary(terms)