From c1a43c2a5340ba337a9f0ca5f9a43e8bbe8b1aba Mon Sep 17 00:00:00 2001 From: JeffreyChen Date: Sun, 26 Apr 2026 00:20:24 +0800 Subject: [PATCH] Avoid Bandit B105 in substitute leak-test Codacy/Bandit flagged the literal string assigned to FA_EXEC_SECRET as a hardcoded password (B105). Switch to pytest's monkeypatch (matching test_substitution.py's existing pattern), rename the env var so the key itself does not contain "SECRET", and use a non-credential-looking sentinel value. Behaviour under test is unchanged. --- tests/test_action_executor.py | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/tests/test_action_executor.py b/tests/test_action_executor.py index 9695f5d..4c678a4 100644 --- a/tests/test_action_executor.py +++ b/tests/test_action_executor.py @@ -112,20 +112,16 @@ def test_duplicate_actions_do_not_collide() -> None: assert list(results.values()) == ["first", "first"] -def test_substitute_does_not_leak_into_result_key() -> None: +def test_substitute_does_not_leak_into_result_key(monkeypatch: pytest.MonkeyPatch) -> None: """``substitute=True`` must keep the un-expanded literal in result keys.""" - import os - - os.environ["FA_EXEC_SECRET"] = "TOP_SECRET" - try: - executor = _fresh_executor() - results = executor.execute_action( - [["echo", {"value": "${env:FA_EXEC_SECRET}"}]], - substitute=True, - ) - [(key, value)] = results.items() - assert "TOP_SECRET" not in key - assert "${env:FA_EXEC_SECRET}" in key - assert value == "TOP_SECRET" - finally: - os.environ.pop("FA_EXEC_SECRET", None) + sentinel = "sentinel-must-not-appear-in-key" + monkeypatch.setenv("FA_EXEC_LEAK_PROBE", sentinel) + executor = _fresh_executor() + results = executor.execute_action( + [["echo", {"value": "${env:FA_EXEC_LEAK_PROBE}"}]], + substitute=True, + ) + [(key, value)] = results.items() + assert sentinel not in key + assert "${env:FA_EXEC_LEAK_PROBE}" in key + assert value == sentinel