Suppress SonarCloud hotspots on intentional negative-test URLs/IPs

JE-Chen · JE-Chen · commit 947cfa0c4366 · 2026-04-21T17:23:17.000+08:00
Add NOSONAR markers on literal insecure URLs and non-loopback/private
IPs that exist to verify the SSRF validator and server guards reject
them. Extract variables so each NOSONAR sits on the flagged line.
Replace the unused ruff A001 noqa on docs/source/conf.py with a
pylint disable for the Sphinx-required `copyright` binding.
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -1,4 +1,5 @@
 """Sphinx configuration for automation_file."""
+
 from __future__ import annotations
 
 import os
@@ -8,7 +9,7 @@
 
 project = "automation_file"
 author = "JE-Chen"
-copyright = "2026, JE-Chen"  # noqa: A001 - Sphinx requires this name
+copyright = "2026, JE-Chen"  # pylint: disable=redefined-builtin  # Sphinx requires this name
 release = "0.0.32"
 
 extensions = [
diff --git a/tests/test_http_server.py b/tests/test_http_server.py
@@ -33,7 +33,8 @@ def test_http_server_executes_action() -> None:
     server = start_http_action_server(host="127.0.0.1", port=0)
     host, port = server.server_address
     try:
-        status, body = _post(f"http://{host}:{port}/actions", [["test_http_echo", {"value": "hi"}]])
+        url = f"http://{host}:{port}/actions"  # NOSONAR: loopback test server, not exposed
+        status, body = _post(url, [["test_http_echo", {"value": "hi"}]])
         assert status == 200
         assert json.loads(body) == {"execute: ['test_http_echo', {'value': 'hi'}]": "hi"}
     finally:
@@ -49,7 +50,8 @@ def test_http_server_rejects_missing_auth() -> None:
     )
     host, port = server.server_address
     try:
-        status, _ = _post(f"http://{host}:{port}/actions", [["test_http_echo", {"value": 1}]])
+        url = f"http://{host}:{port}/actions"  # NOSONAR: loopback test server, not exposed
+        status, _ = _post(url, [["test_http_echo", {"value": 1}]])
         assert status == 401
     finally:
         server.shutdown()
@@ -64,8 +66,9 @@ def test_http_server_accepts_valid_auth() -> None:
     )
     host, port = server.server_address
     try:
+        url = f"http://{host}:{port}/actions"  # NOSONAR: loopback test server, not exposed
         status, body = _post(
-            f"http://{host}:{port}/actions",
+            url,
             [["test_http_echo", {"value": 1}]],
             headers={"Authorization": "Bearer s3cr3t"},
         )
@@ -76,5 +79,6 @@ def test_http_server_accepts_valid_auth() -> None:
 
 
 def test_http_server_rejects_non_loopback() -> None:
+    non_loopback = "8.8.8.8"  # NOSONAR: literal non-loopback IP required to verify rejection
     with pytest.raises(ValueError):
-        start_http_action_server(host="8.8.8.8", port=0)
+        start_http_action_server(host=non_loopback, port=0)
diff --git a/tests/test_tcp_server.py b/tests/test_tcp_server.py
@@ -66,8 +66,9 @@ def test_server_reports_bad_json(server) -> None:
 
 
 def test_start_server_rejects_non_loopback() -> None:
+    non_loopback = "8.8.8.8"  # NOSONAR: literal non-loopback IP required to verify rejection
     with pytest.raises(ValueError):
-        start_autocontrol_socket_server(host="8.8.8.8", port=_free_port())
+        start_autocontrol_socket_server(host=non_loopback, port=_free_port())
 
 
 def test_start_server_allows_non_loopback_when_opted_in() -> None:
diff --git a/tests/test_url_validator.py b/tests/test_url_validator.py
@@ -12,7 +12,7 @@
     "url",
     [
         "file:///etc/passwd",
-        "ftp://example.com/x",
+        "ftp://example.com/x",  # NOSONAR: literal insecure URL required to verify rejection
         "gopher://example.com",
         "data:,hello",
     ],
@@ -37,9 +37,9 @@ def test_reject_empty_url() -> None:
     [
         "http://127.0.0.1/",
         "http://localhost/",
-        "http://10.0.0.1/",
-        "http://169.254.1.1/",
-        "http://[::1]/",
+        "http://10.0.0.1/",  # NOSONAR: literal private IP required to verify SSRF rejection
+        "http://169.254.1.1/",  # NOSONAR: literal link-local IP required to verify SSRF rejection
+        "http://[::1]/",  # NOSONAR: literal loopback IPv6 required to verify SSRF rejection
     ],
 )
 def test_reject_loopback_and_private_ip(url: str) -> None:
@@ -48,5 +48,6 @@ def test_reject_loopback_and_private_ip(url: str) -> None:
 
 
 def test_reject_unresolvable_host() -> None:
+    url = "http://definitely-not-a-real-host-abc123.invalid/"  # NOSONAR: literal unresolvable URL required to verify rejection
     with pytest.raises(UrlValidationException):
-        validate_http_url("http://definitely-not-a-real-host-abc123.invalid/")
+        validate_http_url(url)
