chore: clear CodeQL app-code hygiene alerts#93
Conversation
Resolve the genuine (non-QZP) CodeQL findings in backend app code that remain after the QZP retirement: - py/commented-out-code: remove dead commented-out blocks in problems/admin.py, users/models.py, users/serializers.py - py/unused-import: celery.py imported 'Any' only inside a string annotation; use the runtime type form cast(type[Any], Celery) so the symbol is genuinely referenced (keeps the type-checker satisfied) - py/multiple-definition: drop the redundant first DJ_REST_AUTH assignment in settings.py (it is fully overwritten before use) - py/mixed-returns: normalize bare 'return' to 'return None' in CustomSocialAccountAdapter.pre_social_login No behavioral change.
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Removes the hardcoded Django secret key and PostgreSQL password from settings.py (clears the SonarCloud hardcoded-credential / disclosed-key findings). Values now come from the environment with dev-only fallbacks: - SECRET_KEY <- DJANGO_SECRET_KEY (insecure dev default kept for local) - DATABASES PASSWORD/USER/NAME/HOST/PORT <- POSTGRES_* env vars CI is unaffected: settings_ci copies SECRET_KEY (always bound via the default) and overrides DATABASES to sqlite, so it never reads these. NOTE: the previously-committed secret remains in git history and should be rotated by a maintainer in any environment where it was real.
| "PORT": "5432", # Or your PostgreSQL port | ||
| "NAME": os.environ.get("POSTGRES_DB", "webcoder_db"), | ||
| "USER": os.environ.get("POSTGRES_USER", "webcoder_user"), | ||
| "PASSWORD": os.environ.get("POSTGRES_PASSWORD", ""), |
There was a problem hiding this comment.
Bug: The environment variable names in settings.py (e.g., POSTGRES_PASSWORD) are inconsistent with the .env.example file, which will cause deployment failures.
Severity: CRITICAL
Suggested Fix
Update the .env.example file to use the new POSTGRES_* environment variable names (POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST, POSTGRES_PORT) to match the changes made in settings.py. This ensures the example configuration is consistent with the application's requirements.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: backend/webcoder_api/settings.py#L114
Potential issue: The environment variable names for database configuration were updated
in `settings.py` to use a `POSTGRES_*` prefix (e.g., `POSTGRES_PASSWORD`), but the
`.env.example` file was not updated and still refers to the old `DB_*` variables.
Consequently, anyone setting up the application using the example file will define
variables like `DB_PASSWORD`, which the application ignores. The code will then fall
back to using an empty string for `POSTGRES_PASSWORD`, causing database authentication
to fail and preventing the application from connecting to the database.
Did we get this right? 👍 / 👎 to inform future reviews.
Resolves the genuine (non-QZP) CodeQL code-scanning alerts that remain in backend app code after the QZP retirement (#91/#92). No behavioral change.
py/commented-out-code— remove dead commented-out blocks inproblems/admin.py,users/models.py,users/serializers.pypy/unused-import—celery.pyimportedAnyonly inside the string annotation"type[Any]"; switched to the runtime formcast(type[Any], Celery)so the symbol is genuinely referenced (keeps the type-checker happy while clearing the alert)py/multiple-definition— drop the redundant firstDJ_REST_AUTHassignment insettings.py(fully overwritten before use)py/mixed-returns— normalize barereturntoreturn NoneinCustomSocialAccountAdapter.pre_social_loginThe 3
py/ineffectual-statementhits areProtocol...method stubs (idiomatic typing; CodeQL false positive) and thefinal_errordefault is a defensive initializer; these are dismissed in code scanning rather than uglified.