fix: address Bandit B108/B110 across production code

B110 (try/except/pass): - display_controller.py: narrow 'except Exception' to 'except AttributeError' for get_offset_frame() — plugins not having this optional method is the expected case, not all exceptions - config_manager.py: B110 already resolved by the earlier removal of the dead secrets-loading block (the except/pass was inside it) - All other except/pass blocks in src/ and web_interface/ are intentional (last-resort recovery, best-effort fallbacks, non-critical startup probes). Annotated each with # nosec B110 and a brief inline reason so the decision is explicit for future reviewers. - Test files and plugin-repos B110 suppressed via Codacy API (not prod code). B108 (/tmp usage): - permission_utils.py: /tmp listed to PREVENT permission changes on it — not used as a temp path. Annotated # nosec B108. - display_manager.py: fixed snapshot path is intentional (web UI reads same path); path-check guard also annotated. - wifi_manager.py: named /tmp files match the sudoers allowlist installed with the system (the paths are hard-coded in both places by design). Annotated all six open/cp references # nosec B108. - scripts/render_plugin.py: dev script default overridable by user. Annotated. - web_interface/app.py: reads the same fixed path written by display_manager. Annotated # nosec B108. - Test files suppressed via Codacy API. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 18:03:32 +00:00 · 2026-05-14 13:05:14 -04:00
parent 4d2a567597
commit 3aaf156962
10 changed files with 22 additions and 22 deletions
--- a/web_interface/app.py
+++ b/web_interface/app.py
@@ -324,7 +324,7 @@ def after_request_logging(response):
                duration_ms=duration_ms,
                ip_address=ip_address
            )
-        except Exception:
+        except Exception:  # nosec B110 - request logging must never interrupt a live HTTP response
            pass  # Don't break response if logging fails
    return response

@@ -502,7 +502,7 @@ def display_preview_generator():
    from PIL import Image
    import io
    
-    snapshot_path = "/tmp/led_matrix_preview.png"
+    snapshot_path = "/tmp/led_matrix_preview.png"  # nosec B108 - fixed path matches display_manager; only read here
    last_modified = None
    
    # Get display dimensions from config
@@ -542,7 +542,7 @@ def display_preview_generator():
                            }
                            last_modified = current_modified
                            yield preview_data
-                    except Exception:
+                    except Exception:  # nosec B110 - SSE preview file may be mid-write; transient error, skip this update
                        # File might be being written, skip this update
                        pass
            else: