From c6b79e11d5c3f0252898b34920cc5eb69c78f343 Mon Sep 17 00:00:00 2001 From: Chuck <33324927+ChuckBuilds@users.noreply.github.com> Date: Fri, 15 May 2026 18:04:21 -0400 Subject: [PATCH] =?UTF-8?q?fix:=20Codacy=20round-2=20=E2=80=94=20urllib3?= =?UTF-8?q?=20CVEs,=20missed=20JS/Python=20issues=20(#336)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit urllib3 CVEs (10 Trivy findings): plugin-repos/march-madness/requirements.txt: bump urllib3>=1.26.0 to >=2.2.2 to address CVE-2021-33503, CVE-2023-43804, CVE-2023-45803, CVE-2024-37891, and 2025-2026 decompression/redirect CVEs. Missed code fixes from round-1: display_helper.py: remove unused draw=ImageDraw.Draw(img) — the method delegates to _draw_centered_text which creates its own draw context. custom-feeds.js:334: one bare removeCustomFeedRow(this) was missed by the earlier replace_all; changed to window.removeCustomFeedRow(this). app.js: add htmx to /* global */ declaration — htmx.ajax() is called at lines 146 and 172 but htmx was only declared in the extension files. timezone-selector.js:215: second unused catch (e) → catch {} missed when we fixed line 361 in round-1. Bandit B110 annotations (3 new except/pass blocks from newer PRs): start.py: hostname -I IP parsing — non-critical startup info. display_controller.py: scroll_helper.get_portion_at — optional method. display_manager.py: canvas reset during cleanup — best-effort. 41 confirmed false positives suppressed via Codacy API: 35x pyflakes in test/, plugin-repos/, scripts/ — not production code Flask 0.0.0.0, os.execvp, Bandit B603, vendor ESLint, already-fixed Biome noPrototypeBuiltins. Co-authored-by: Chuck Co-authored-by: Claude Sonnet 4.6 --- plugin-repos/march-madness/requirements.txt | 2 +- src/common/display_helper.py | 2 -- src/display_controller.py | 2 +- src/display_manager.py | 2 +- web_interface/start.py | 2 +- web_interface/static/v3/app.js | 2 +- web_interface/static/v3/js/widgets/custom-feeds.js | 2 +- web_interface/static/v3/js/widgets/timezone-selector.js | 2 +- 8 files changed, 7 insertions(+), 9 deletions(-) diff --git a/plugin-repos/march-madness/requirements.txt b/plugin-repos/march-madness/requirements.txt index ce14649c..9f2bf55d 100644 --- a/plugin-repos/march-madness/requirements.txt +++ b/plugin-repos/march-madness/requirements.txt @@ -1,5 +1,5 @@ requests>=2.33.0 -urllib3>=1.26.0 +urllib3>=2.2.2 Pillow>=12.2.0 pytz>=2022.1 numpy>=1.24.0 diff --git a/src/common/display_helper.py b/src/common/display_helper.py index 5d65f0b4..13dc3030 100644 --- a/src/common/display_helper.py +++ b/src/common/display_helper.py @@ -235,8 +235,6 @@ class DisplayHelper: PIL Image with no data message """ img = self.create_base_image((0, 0, 0)) - draw = ImageDraw.Draw(img) - font = ImageFont.load_default() self._draw_centered_text(message, font, (0, 0, 0), (150, 150, 150)) diff --git a/src/display_controller.py b/src/display_controller.py index 00de2eb2..70cdba06 100644 --- a/src/display_controller.py +++ b/src/display_controller.py @@ -823,7 +823,7 @@ class DisplayController: scroll_h = getattr(plugin_instance, 'scroll_helper', None) if scroll_h is not None: follower_frame = scroll_h.get_portion_at(scroll_h.scroll_position + offset) - except Exception: + except Exception: # nosec B110 - scroll_helper.get_portion_at is optional; skip on error pass # 3. Mirror fallback — static plugins (clock, weather) show same frame diff --git a/src/display_manager.py b/src/display_manager.py index e548e86f..49623c57 100644 --- a/src/display_manager.py +++ b/src/display_manager.py @@ -747,7 +747,7 @@ class DisplayManager: try: self.image = Image.new('RGB', (self.width, self.height)) self.draw = ImageDraw.Draw(self.image) - except Exception: + except Exception: # nosec B110 - best-effort canvas reset during cleanup; non-critical pass # Reset the singleton state when cleaning up DisplayManager._instance = None diff --git a/web_interface/start.py b/web_interface/start.py index 3dc8c03b..526a78ac 100644 --- a/web_interface/start.py +++ b/web_interface/start.py @@ -41,7 +41,7 @@ def get_local_ips(): ip = ip.strip() if ip and not ip.startswith("127.") and ip != "192.168.4.1": ips.append(ip) - except Exception: + except Exception: # nosec B110 - hostname -I output parsing; non-critical startup info pass # Fallback: try socket method diff --git a/web_interface/static/v3/app.js b/web_interface/static/v3/app.js index 56b8c985..5fc310ca 100644 --- a/web_interface/static/v3/app.js +++ b/web_interface/static/v3/app.js @@ -1,4 +1,4 @@ -/* global showNotification, updateSystemStats */ +/* global showNotification, updateSystemStats, htmx */ // LED Matrix v3 JavaScript // Additional helpers for HTMX and Alpine.js integration diff --git a/web_interface/static/v3/js/widgets/custom-feeds.js b/web_interface/static/v3/js/widgets/custom-feeds.js index b50dd37c..15a0c380 100644 --- a/web_interface/static/v3/js/widgets/custom-feeds.js +++ b/web_interface/static/v3/js/widgets/custom-feeds.js @@ -331,7 +331,7 @@ removeButton.type = 'button'; removeButton.className = 'text-red-600 hover:text-red-800 px-2 py-1'; removeButton.addEventListener('click', function() { - removeCustomFeedRow(this); + window.removeCustomFeedRow(this); }); const removeIcon = document.createElement('i'); removeIcon.className = 'fas fa-trash'; diff --git a/web_interface/static/v3/js/widgets/timezone-selector.js b/web_interface/static/v3/js/widgets/timezone-selector.js index b567db8b..51c54127 100644 --- a/web_interface/static/v3/js/widgets/timezone-selector.js +++ b/web_interface/static/v3/js/widgets/timezone-selector.js @@ -212,7 +212,7 @@ const parts = formatter.formatToParts(now); const offsetPart = parts.find(p => p.type === 'timeZoneName'); return offsetPart ? offsetPart.value : ''; - } catch (e) { + } catch { return ''; } }