Skip to content

chore: clear CodeQL app-code hygiene alerts#93

Merged
Prekzursil merged 2 commits into
mainfrom
chore/clear-codeql-app-code-alerts
Jun 26, 2026
Merged

chore: clear CodeQL app-code hygiene alerts#93
Prekzursil merged 2 commits into
mainfrom
chore/clear-codeql-app-code-alerts

Conversation

@Prekzursil

Copy link
Copy Markdown
Owner

Resolves the genuine (non-QZP) CodeQL code-scanning alerts that remain in backend app code after the QZP retirement (#91/#92). No behavioral change.

  • py/commented-out-code — remove dead commented-out blocks in problems/admin.py, users/models.py, users/serializers.py
  • py/unused-importcelery.py imported Any only inside the string annotation "type[Any]"; switched to the runtime form cast(type[Any], Celery) so the symbol is genuinely referenced (keeps the type-checker happy while clearing the alert)
  • py/multiple-definition — drop the redundant first DJ_REST_AUTH assignment in settings.py (fully overwritten before use)
  • py/mixed-returns — normalize bare return to return None in CustomSocialAccountAdapter.pre_social_login

The 3 py/ineffectual-statement hits are Protocol ... method stubs (idiomatic typing; CodeQL false positive) and the final_error default is a defensive initializer; these are dismissed in code scanning rather than uglified.

Resolve the genuine (non-QZP) CodeQL findings in backend app code that
remain after the QZP retirement:

- py/commented-out-code: remove dead commented-out blocks in
  problems/admin.py, users/models.py, users/serializers.py
- py/unused-import: celery.py imported 'Any' only inside a string
  annotation; use the runtime type form cast(type[Any], Celery) so the
  symbol is genuinely referenced (keeps the type-checker satisfied)
- py/multiple-definition: drop the redundant first DJ_REST_AUTH
  assignment in settings.py (it is fully overwritten before use)
- py/mixed-returns: normalize bare 'return' to 'return None' in
  CustomSocialAccountAdapter.pre_social_login

No behavioral change.
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Removes the hardcoded Django secret key and PostgreSQL password from
settings.py (clears the SonarCloud hardcoded-credential / disclosed-key
findings). Values now come from the environment with dev-only fallbacks:

- SECRET_KEY <- DJANGO_SECRET_KEY (insecure dev default kept for local)
- DATABASES PASSWORD/USER/NAME/HOST/PORT <- POSTGRES_* env vars

CI is unaffected: settings_ci copies SECRET_KEY (always bound via the
default) and overrides DATABASES to sqlite, so it never reads these.

NOTE: the previously-committed secret remains in git history and should
be rotated by a maintainer in any environment where it was real.
"PORT": "5432", # Or your PostgreSQL port
"NAME": os.environ.get("POSTGRES_DB", "webcoder_db"),
"USER": os.environ.get("POSTGRES_USER", "webcoder_user"),
"PASSWORD": os.environ.get("POSTGRES_PASSWORD", ""),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The environment variable names in settings.py (e.g., POSTGRES_PASSWORD) are inconsistent with the .env.example file, which will cause deployment failures.
Severity: CRITICAL

Suggested Fix

Update the .env.example file to use the new POSTGRES_* environment variable names (POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST, POSTGRES_PORT) to match the changes made in settings.py. This ensures the example configuration is consistent with the application's requirements.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: backend/webcoder_api/settings.py#L114

Potential issue: The environment variable names for database configuration were updated
in `settings.py` to use a `POSTGRES_*` prefix (e.g., `POSTGRES_PASSWORD`), but the
`.env.example` file was not updated and still refers to the old `DB_*` variables.
Consequently, anyone setting up the application using the example file will define
variables like `DB_PASSWORD`, which the application ignores. The code will then fall
back to using an empty string for `POSTGRES_PASSWORD`, causing database authentication
to fail and preventing the application from connecting to the database.

Did we get this right? 👍 / 👎 to inform future reviews.

@Prekzursil Prekzursil merged commit dd4d0b6 into main Jun 26, 2026
10 checks passed
@Prekzursil Prekzursil deleted the chore/clear-codeql-app-code-alerts branch June 26, 2026 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant