Skip to content

Commit 5f95738

Browse files
gorecodesclaude
andcommitted
chore(ci): suppress semgrep false positives with nosemgrep
All four findings are intentional: - daemon_client.py: writer.write() targets a Unix socket StreamWriter, not a file; Django injection rule does not apply - local_auth.py: 0o750 on /var/lib/arbor is deliberate (arbor group needs directory traverse; world access intentionally denied) - daemon/main.py: 0o750 on socket dir and 0o660 on Unix socket are deliberate (SO_PEERCRED enforces uid allowlist on top) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent c595446 commit 5f95738

3 files changed

Lines changed: 4 additions & 4 deletions

File tree

backend/arbor/daemon_client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ async def query(cmd: str, args: dict = None) -> AsyncIterator[dict]:
2222
reader, writer = await asyncio.open_unix_connection(SOCKET_PATH, limit=_READER_LIMIT)
2323
try:
2424
request = json.dumps(sign_request(cmd, request_args)) + "\n"
25-
writer.write(request.encode())
25+
writer.write(request.encode()) # nosemgrep: python.django.security.injection.request-data-write.request-data-write
2626
await writer.drain()
2727

2828
while True:

backend/arbor/local_auth.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ def _fix_system_auth_db_permissions(path: Path) -> None:
9999
except OSError:
100100
pass
101101
os.chown(parent, uid, gid)
102-
os.chmod(parent, 0o750)
102+
os.chmod(parent, 0o750) # nosemgrep: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
103103
if path.exists():
104104
try:
105105
file_stat = path.stat()

backend/daemon/main.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3323,14 +3323,14 @@ async def main():
33233323
socket_dir = Path(SOCKET_PATH).parent
33243324
socket_dir.mkdir(parents=True, exist_ok=True)
33253325
os.chown(socket_dir, 0, arbor_gid)
3326-
os.chmod(socket_dir, 0o750)
3326+
os.chmod(socket_dir, 0o750) # nosemgrep: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
33273327

33283328
if Path(SOCKET_PATH).exists():
33293329
Path(SOCKET_PATH).unlink()
33303330

33313331
server = await asyncio.start_unix_server(handle_client, path=SOCKET_PATH)
33323332
os.chown(SOCKET_PATH, 0, arbor_gid)
3333-
os.chmod(SOCKET_PATH, 0o660)
3333+
os.chmod(SOCKET_PATH, 0o660) # nosemgrep: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
33343334

33353335
_db_init()
33363336
_jobs.update(_load_recovered_jobs())

0 commit comments

Comments
 (0)