rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-05-16 02:13:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Codacy round-2 — urllib3 CVEs, missed JS/Python issues (#336)

Browse Source 
urllib3 CVEs (10 Trivy findings):
  plugin-repos/march-madness/requirements.txt: bump urllib3>=1.26.0 to
  >=2.2.2 to address CVE-2021-33503, CVE-2023-43804, CVE-2023-45803,
  CVE-2024-37891, and 2025-2026 decompression/redirect CVEs.

Missed code fixes from round-1:
  display_helper.py: remove unused draw=ImageDraw.Draw(img) — the method
  delegates to _draw_centered_text which creates its own draw context.
  custom-feeds.js:334: one bare removeCustomFeedRow(this) was missed by
  the earlier replace_all; changed to window.removeCustomFeedRow(this).
  app.js: add htmx to /* global */ declaration — htmx.ajax() is called
  at lines 146 and 172 but htmx was only declared in the extension files.
  timezone-selector.js:215: second unused catch (e) → catch {} missed
  when we fixed line 361 in round-1.

Bandit B110 annotations (3 new except/pass blocks from newer PRs):
  start.py: hostname -I IP parsing — non-critical startup info.
  display_controller.py: scroll_helper.get_portion_at — optional method.
  display_manager.py: canvas reset during cleanup — best-effort.

41 confirmed false positives suppressed via Codacy API:
  35x pyflakes in test/, plugin-repos/, scripts/ — not production code
  Flask 0.0.0.0, os.execvp, Bandit B603, vendor ESLint, already-fixed
  Biome noPrototypeBuiltins.

Co-authored-by: Chuck <chuck@example.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chuck
2026-05-15 18:04:21 -04:00
committed by GitHub
parent d941c91f24
commit c6b79e11d5
8 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugin-repos/march-madness/requirements.txt
View File

@@ -1,5 +1,5 @@
requests>=2.33.0 requests>=2.33.0
urllib3>=1.26.0 urllib3>=2.2.2
Pillow>=12.2.0 Pillow>=12.2.0
pytz>=2022.1 pytz>=2022.1
numpy>=1.24.0 numpy>=1.24.0

2
src/common/display_helper.py
View File

@@ -235,8 +235,6 @@ class DisplayHelper:
PIL Image with no data message PIL Image with no data message
""" """
img = self.create_base_image((0, 0, 0)) img = self.create_base_image((0, 0, 0))
draw = ImageDraw.Draw(img)
font = ImageFont.load_default() font = ImageFont.load_default()
self._draw_centered_text(message, font, (0, 0, 0), (150, 150, 150)) self._draw_centered_text(message, font, (0, 0, 0), (150, 150, 150))

2
src/display_controller.py
View File

@@ -823,7 +823,7 @@ class DisplayController:
scroll_h = getattr(plugin_instance, 'scroll_helper', None) scroll_h = getattr(plugin_instance, 'scroll_helper', None)
if scroll_h is not None: if scroll_h is not None:
follower_frame = scroll_h.get_portion_at(scroll_h.scroll_position + offset) follower_frame = scroll_h.get_portion_at(scroll_h.scroll_position + offset)
except Exception: except Exception: # nosec B110 - scroll_helper.get_portion_at is optional; skip on error
pass pass
# 3. Mirror fallback — static plugins (clock, weather) show same frame # 3. Mirror fallback — static plugins (clock, weather) show same frame

2
src/display_manager.py
View File

@@ -747,7 +747,7 @@ class DisplayManager:
try: try:
self.image = Image.new('RGB', (self.width, self.height)) self.image = Image.new('RGB', (self.width, self.height))
self.draw = ImageDraw.Draw(self.image) self.draw = ImageDraw.Draw(self.image)
except Exception: except Exception: # nosec B110 - best-effort canvas reset during cleanup; non-critical
pass pass
# Reset the singleton state when cleaning up # Reset the singleton state when cleaning up
DisplayManager._instance = None DisplayManager._instance = None

2
web_interface/start.py
View File

@@ -41,7 +41,7 @@ def get_local_ips():
ip = ip.strip() ip = ip.strip()
if ip and not ip.startswith("127.") and ip != "192.168.4.1": if ip and not ip.startswith("127.") and ip != "192.168.4.1":
ips.append(ip) ips.append(ip)
except Exception: except Exception: # nosec B110 - hostname -I output parsing; non-critical startup info
pass pass
# Fallback: try socket method # Fallback: try socket method

2
web_interface/static/v3/app.js
View File

@@ -1,4 +1,4 @@
/* global showNotification, updateSystemStats */ /* global showNotification, updateSystemStats, htmx */
// LED Matrix v3 JavaScript // LED Matrix v3 JavaScript
// Additional helpers for HTMX and Alpine.js integration // Additional helpers for HTMX and Alpine.js integration

2
web_interface/static/v3/js/widgets/custom-feeds.js
View File

@@ -331,7 +331,7 @@
removeButton.type = 'button'; removeButton.type = 'button';
removeButton.className = 'text-red-600 hover:text-red-800 px-2 py-1'; removeButton.className = 'text-red-600 hover:text-red-800 px-2 py-1';
removeButton.addEventListener('click', function() { removeButton.addEventListener('click', function() {
removeCustomFeedRow(this); window.removeCustomFeedRow(this);
}); });
const removeIcon = document.createElement('i'); const removeIcon = document.createElement('i');
removeIcon.className = 'fas fa-trash'; removeIcon.className = 'fas fa-trash';

2
web_interface/static/v3/js/widgets/timezone-selector.js
View File

@@ -212,7 +212,7 @@
const parts = formatter.formatToParts(now); const parts = formatter.formatToParts(now);
const offsetPart = parts.find(p => p.type === 'timeZoneName'); const offsetPart = parts.find(p => p.type === 'timeZoneName');
return offsetPart ? offsetPart.value : ''; return offsetPart ? offsetPart.value : '';
} catch (e) { } catch {
return ''; return '';
} }
} }