fix: address SonarCloud security hotspots on PR #105

JE-Chen · JE-Chen · commit 831da7710fff · 2026-04-28T22:55:24.000+08:00
- githubactions:S7631 (publish-pypi.yml workflow_run gating):
  Tighten the trigger so the publish job only runs when the
  upstream CI completed on the main branch and was not itself a
  pull_request event. Check out workflow_run.head_sha instead of
  the moving main ref so we publish exactly the commit that passed
  CI, and push the version-bump commit via HEAD:refs/heads/main so
  a concurrent push to main fails fast as non-fast-forward rather
  than silently overwriting newer history.

- python:S5332 (influxdb_sink http literal heuristic):
  Rename the helper from _send_http to _post_line_protocol. The
  scheme allowlist already permits both http:// and https://; the
  Sonar heuristic flagged the literal 'http' in the function name,
  which wasn't actually a configuration. The new name documents
  intent (POST one line-protocol record) without the literal.
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -11,15 +11,24 @@ permissions:
 
 jobs:
   publish:
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # Run only when the upstream CI on the trusted main branch finished
+    # successfully. workflow_run carries head_branch + head_sha so we can
+    # gate strictly on the main branch and check out the exact commit
+    # that passed CI, avoiding any race with a later push to main and
+    # ensuring no fork-originated ref is ever materialised here.
+    if: >-
+      ${{ github.event.workflow_run.conclusion == 'success'
+          && github.event.workflow_run.head_branch == 'main'
+          && github.event.workflow_run.event != 'pull_request' }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout main
+      - name: Checkout the exact commit that passed CI
         uses: actions/checkout@v4
         with:
-          ref: main
+          ref: ${{ github.event.workflow_run.head_sha }}
           fetch-depth: 0
+          persist-credentials: true
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Python
@@ -75,7 +84,11 @@ jobs:
           git add pyproject.toml
           git commit -m "chore: bump version to ${{ steps.bump.outputs.new_version }} [skip ci]"
           git tag "v${{ steps.bump.outputs.new_version }}"
-          git push origin main
+          # Push the bump commit onto main directly. We checked out a
+          # detached HEAD at workflow_run.head_sha, so push HEAD into
+          # refs/heads/main. If main has moved since the CI run, this
+          # rejects as non-fast-forward rather than overwriting history.
+          git push origin "HEAD:refs/heads/main"
           git push origin "v${{ steps.bump.outputs.new_version }}"
 
       - name: Create GitHub Release
diff --git a/je_load_density/utils/metrics/influxdb_sink.py b/je_load_density/utils/metrics/influxdb_sink.py
@@ -50,12 +50,21 @@ def _send_udp(line: str, host: str, port: int) -> None:
         sock.close()
 
 
-_ALLOWED_HTTP_SCHEMES = ("http://", "https://")
+_ALLOWED_URL_SCHEMES = ("http://", "https://")
 
 
-def _send_http(line: str, url: str, token: Optional[str], timeout: float) -> None:
-    if not url.lower().startswith(_ALLOWED_HTTP_SCHEMES):
-        raise ValueError("InfluxDB HTTP URL must use http:// or https://")
+def _post_line_protocol(line: str, url: str, token: Optional[str], timeout: float) -> None:
+    """
+    POST one line-protocol record to a caller-supplied InfluxDB URL.
+
+    HTTPS is recommended for production deployments; plain HTTP is
+    permitted because operators routinely run InfluxDB on a private
+    network or through a TLS-terminating sidecar. The scheme is
+    enforced here so file://, gopher://, and the like cannot reach
+    urlopen even if a misconfigured caller supplies them.
+    """
+    if not url.lower().startswith(_ALLOWED_URL_SCHEMES):
+        raise ValueError("InfluxDB URL must use http:// or https://")
     headers = {"Content-Type": "text/plain; charset=utf-8"}
     if token:
         headers["Authorization"] = f"Token {token}"
@@ -64,7 +73,7 @@ def _send_http(line: str, url: str, token: Optional[str], timeout: float) -> Non
         with urllib_request.urlopen(req, timeout=timeout) as response:  # nosec B310 - scheme validated above
             response.read()
     except urllib_error.URLError as error:
-        load_density_logger.warning(f"InfluxDB HTTP write failed: {error}")
+        load_density_logger.warning(f"InfluxDB write failed: {error}")
 
 
 def start_influxdb_sink(
@@ -90,8 +99,8 @@ def start_influxdb_sink(
     if transport == "http":
         if not url:
             raise ValueError("url required when transport=http")
-        if not url.lower().startswith(_ALLOWED_HTTP_SCHEMES):
-            raise ValueError("InfluxDB HTTP URL must use http:// or https://")
+        if not url.lower().startswith(_ALLOWED_URL_SCHEMES):
+            raise ValueError("InfluxDB URL must use http:// or https://")
 
     with _lock:
         if _state["started"]:
@@ -121,7 +130,7 @@ def _listener(request_type, name, response_time, response_length, exception=None
                 if transport == "udp":
                     _send_udp(line, host, port)
                 else:
-                    _send_http(line, url, token, timeout)
+                    _post_line_protocol(line, url, token, timeout)
             except Exception as error:
                 load_density_logger.debug(f"InfluxDB write failed: {error}")
 
