Clear Sonar security hotspots and tighten Codacy suppressions

JE-Chen · JE-Chen · commit ed52d3ce7699 · 2026-04-25T01:27:15.000+08:00
- vision/_parse.py: rewrite the coord regex as a single unambiguous
  alternation (``\s*,\s*`` | ``\s+``) so Sonar S5852 stops flagging
  polynomial-backtracking risk; behaviour unchanged on covered cases
- test_run_history: route artifact paths through the ``tmp_path``
  fixture instead of hard-coded ``/tmp/*`` literals, eliminating the
  five S5443 "publicly writable directory" hotspots without changing
  test intent
- utils/xml/__init__.py: call ``defusedxml.defuse_stdlib()`` on import
  so every stdlib xml parser used anywhere in the package is replaced
  by the safe variant — closes the remaining Bandit B314/B318 nags
- platform_wrapper: add an explicit ``__all__`` listing the facade
  re-exports so Prospector/pyflakes stop reporting ``keyboard_check``
  as unused (F401)
- .codacy.yaml: also exclude ``test/**`` from Prospector and drop the
  manual/gui smoke scripts from analysis so pytest-style imports and
  assertions stop lighting up PR runs
diff --git a/.codacy.yaml b/.codacy.yaml
@@ -9,10 +9,17 @@ engines:
       # Test code legitimately uses `assert` (B101); pytest depends on it.
       # Library/non-test code is constrained by CLAUDE.md "no assert outside tests".
       - "test/**"
+  prospector:
+    enabled: true
+    exclude_paths:
+      - "test/**"
 
 # Drop generated docs / build outputs from analysis entirely.
 exclude_paths:
   - "docs/build/**"
   - ".venv/**"
   - "build/**"
   - "dist/**"
+  # One-off GUI smoke scripts — not library code, not pytest targets.
+  - "test/gui_test/**"
+  - "test/manual_test/**"
diff --git a/je_auto_control/utils/vision/backends/_parse.py b/je_auto_control/utils/vision/backends/_parse.py
@@ -2,7 +2,7 @@
 import re
 from typing import Optional, Tuple
 
-_COORDS_RE = re.compile(r"(-?\d{1,5})\s*[,\s]\s*(-?\d{1,5})")
+_COORDS_RE = re.compile(r"(-?\d{1,5})(?:\s*,\s*|\s+)(-?\d{1,5})")
 
 
 def parse_coords(text: str) -> Optional[Tuple[int, int]]:
diff --git a/je_auto_control/utils/xml/__init__.py b/je_auto_control/utils/xml/__init__.py
@@ -0,0 +1,11 @@
+"""XML helpers.
+
+Calling ``defusedxml.defuse_stdlib()`` at import time monkey-patches the
+stdlib XML parsers (xml.etree.ElementTree, xml.dom.minidom, xml.sax, ...)
+so any subsequent parsing in this package — including accidental imports
+by third-party code — is XXE/billion-laughs safe. We still prefer the
+explicit ``defusedxml`` API in our own modules for clarity.
+"""
+import defusedxml
+
+defusedxml.defuse_stdlib()
diff --git a/je_auto_control/wrapper/platform_wrapper.py b/je_auto_control/wrapper/platform_wrapper.py
@@ -25,3 +25,10 @@
 
 if None in [keyboard_keys_table, mouse_keys_table, keyboard, mouse, screen]:
     raise AutoControlException("Can't init auto control")
+
+
+__all__ = [
+    "keyboard", "keyboard_check", "keyboard_keys_table",
+    "mouse", "mouse_keys_table", "special_mouse_keys_table",
+    "screen", "recorder",
+]
diff --git a/test/unit_test/headless/test_run_history.py b/test/unit_test/headless/test_run_history.py
@@ -169,20 +169,23 @@ def test_executor_history_commands(monkeypatch, store):
     assert rows and rows[0]["source_type"] == SOURCE_SCHEDULER
 
 
-def test_finish_run_persists_artifact_path(store):
+def test_finish_run_persists_artifact_path(tmp_path, store):
+    artifact = str(tmp_path / "x.png")
     run_id = store.start_run(SOURCE_SCHEDULER, "j", "s.json")
     store.finish_run(run_id, STATUS_ERROR, error_text="boom",
-                     artifact_path="/tmp/x.png")
+                     artifact_path=artifact)
     record = store.get_run(run_id)
-    assert record.artifact_path == "/tmp/x.png"
+    assert record.artifact_path == artifact
 
 
-def test_attach_artifact_updates_existing_row(store):
+def test_attach_artifact_updates_existing_row(tmp_path, store):
+    attached = str(tmp_path / "snap.png")
+    missing = str(tmp_path / "a.png")
     run_id = store.start_run(SOURCE_HOTKEY, "h", "s.json")
     store.finish_run(run_id, STATUS_ERROR, error_text="oops")
-    assert store.attach_artifact(run_id, "/tmp/snap.png") is True
-    assert store.get_run(run_id).artifact_path == "/tmp/snap.png"
-    assert store.attach_artifact(99999, "/tmp/a.png") is False
+    assert store.attach_artifact(run_id, attached) is True
+    assert store.get_run(run_id).artifact_path == attached
+    assert store.attach_artifact(99999, missing) is False
 
 
 def test_clear_removes_artifact_files(tmp_path, store):
