Misc small security fixes, mostly using more secure RNGs and adding timeouts to requests in scripts

kaleko · kaleko · commit 4728c44bc1eb · 2025-11-13T15:45:49.000Z
diff --git a/scripts/post-deploy.py b/scripts/post-deploy.py
@@ -35,7 +35,7 @@ def generate_aws_exports(stack_name):
             "--output", "json"
         ]
 
-        result = subprocess.run(
+        result = subprocess.run(  # nosec B603 - command constructed from safe list, not user input
             command, 
             capture_output=True, 
             text=True, 
diff --git a/scripts/test-agent-invocation.py b/scripts/test-agent-invocation.py
@@ -20,7 +20,7 @@
 import socket
 import argparse
 import getpass
-import subprocess
+import subprocess  # nosec B404 - subprocess used securely with explicit parameters
 import signal
 import atexit
 from pathlib import Path
@@ -105,7 +105,7 @@ def start_local_agent(memory_id: str, region: str) -> subprocess.Popen:
     
     # Start agent process
     try:
-        _agent_process = subprocess.Popen(
+        _agent_process = subprocess.Popen(  # nosec B607 - command constructed from validated path, shell=False
             ["uv", "run", str(agent_path)],
             env=env,
             stdout=subprocess.PIPE,

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ def generate_aws_exports(stack_name):`
`35`	`35`	`"--output", "json"`
`36`	`36`	`]`
`37`	`37`
`38`		`- result = subprocess.run(`
	`38`	`+ result = subprocess.run( # nosec B603 - command constructed from safe list, not user input`
`39`	`39`	`command,`
`40`	`40`	`capture_output=True,`
`41`	`41`	`text=True,`