Annotate SonarCloud security hotspots with NOSONAR justifications

JE-Chen · JE-Chen · commit 175e0a2495e2 · 2026-04-21T23:57:12.000+08:00
diff --git a/automation_file/local/tar_ops.py b/automation_file/local/tar_ops.py
@@ -57,7 +57,8 @@ def create_tar(
     target_path.parent.mkdir(parents=True, exist_ok=True)
 
     try:
-        with tarfile.open(str(target_path), mode) as archive:
+        # Write mode — not extraction.
+        with tarfile.open(str(target_path), mode) as archive:  # NOSONAR python:S5042
             archive.add(str(src_path), arcname=src_path.name)
     except (OSError, tarfile.TarError) as err:
         raise TarException(f"create_tar failed: {err}") from err
@@ -76,7 +77,9 @@ def extract_tar(source: str, target_dir: str) -> list[str]:
 
     extracted: list[str] = []
     try:
-        with tarfile.open(str(src_path), "r:*") as archive:
+        # _verify_members rejects traversal / escaping symlinks / hardlinks before any
+        # extract, and PEP 706 filter="data" is applied when available (3.10.12+ / 3.11.4+ / 3.12+).
+        with tarfile.open(str(src_path), "r:*") as archive:  # NOSONAR python:S5042
             _verify_members(archive, dest)
             for member in archive.getmembers():
                 if _TAR_FILTER_SUPPORTED:
diff --git a/automation_file/remote/ftp/client.py b/automation_file/remote/ftp/client.py
@@ -42,7 +42,11 @@ def __init__(self) -> None:
     def later_init(self, options: FTPConnectOptions | None = None, **kwargs: Any) -> FTP:
         """Open an FTP control connection. TLS is negotiated when ``tls=True``."""
         opts = options if options is not None else FTPConnectOptions(**kwargs)
-        ftp: FTP = FTP_TLS(timeout=opts.timeout) if opts.tls else FTP(timeout=opts.timeout)
+        # Plaintext FTP is opt-in via tls=False; FTPS is the default when tls=True.
+        if opts.tls:
+            ftp: FTP = FTP_TLS(timeout=opts.timeout)
+        else:
+            ftp = FTP(timeout=opts.timeout)  # NOSONAR python:S5332
         try:
             ftp.connect(opts.host, opts.port, timeout=opts.timeout)
             if opts.tls and isinstance(ftp, FTP_TLS):
diff --git a/tests/test_checksum.py b/tests/test_checksum.py
@@ -35,7 +35,9 @@ def test_file_checksum_streams_large_file(tmp_path: Path) -> None:
 def test_file_checksum_md5(tmp_path: Path) -> None:
     target = tmp_path / "a.bin"
     target.write_bytes(b"hi")
-    assert file_checksum(target, algorithm="md5") == hashlib.md5(b"hi").hexdigest()
+    # Verifies the library accepts any hashlib algorithm — not a security use of MD5.
+    expected = hashlib.md5(b"hi").hexdigest()  # NOSONAR python:S4790
+    assert file_checksum(target, algorithm="md5") == expected
 
 
 def test_file_checksum_unknown_algorithm(tmp_path: Path) -> None:
diff --git a/tests/test_cross_backend.py b/tests/test_cross_backend.py
@@ -42,8 +42,11 @@ def test_missing_local_source_returns_false(tmp_path: Path) -> None:
 
 
 def test_unknown_source_scheme_raises() -> None:
+    # The target path is unused — the call must fail on the source scheme
+    # before touching the filesystem.
+    unused_target = "/tmp/x"  # NOSONAR python:S5443
     with pytest.raises(CrossBackendException):
-        copy_between("gopher://a/b", "/tmp/x")
+        copy_between("gopher://a/b", unused_target)
 
 
 def test_unknown_target_scheme_raises(tmp_path: Path) -> None:
diff --git a/tests/test_http_client.py b/tests/test_http_client.py
@@ -18,7 +18,7 @@ def _ensure_echo_registered() -> None:
 
 def _base_url(server) -> str:
     host, port = server.server_address
-    return f"http://{host}:{port}"
+    return f"http://{host}:{port}"  # NOSONAR python:S5332 — loopback test server; TLS not in scope.
 
 
 def test_client_executes_action_round_trip() -> None:
diff --git a/tests/test_tar_ops.py b/tests/test_tar_ops.py
@@ -39,7 +39,8 @@ def test_create_and_extract_gz(sample_dir: Path, tmp_path: Path) -> None:
 def test_create_uncompressed(sample_dir: Path, tmp_path: Path) -> None:
     archive = tmp_path / "plain.tar"
     create_tar(str(sample_dir), str(archive), compression=None)
-    with tarfile.open(str(archive), "r") as tf:
+    # Reading an archive we just wrote in this test — not untrusted input.
+    with tarfile.open(str(archive), "r") as tf:  # NOSONAR python:S5042
         assert any(name.endswith("a.txt") for name in tf.getnames())
 
 
@@ -72,7 +73,8 @@ def test_extract_missing_archive_raises(tmp_path: Path) -> None:
 
 def test_extract_rejects_path_traversal(tmp_path: Path) -> None:
     archive = tmp_path / "evil.tar"
-    with tarfile.open(str(archive), "w") as tf:
+    # Write mode; fixture builds a malicious archive to exercise the guard.
+    with tarfile.open(str(archive), "w") as tf:  # NOSONAR python:S5042
         info = tarfile.TarInfo(name="../escape.txt")
         info.size = 0
         tf.addfile(info, None)
@@ -83,7 +85,8 @@ def test_extract_rejects_path_traversal(tmp_path: Path) -> None:
 
 def test_extract_rejects_absolute_symlink(tmp_path: Path) -> None:
     archive = tmp_path / "evil.tar"
-    with tarfile.open(str(archive), "w") as tf:
+    # Write mode; fixture builds a malicious archive to exercise the guard.
+    with tarfile.open(str(archive), "w") as tf:  # NOSONAR python:S5042
         info = tarfile.TarInfo(name="link")
         info.type = tarfile.SYMTYPE
         info.linkname = "/etc/passwd"
