security: fix bandit security warnings

tianjixuetu · tianjixuetu · commit 6076b6dc2d2e · 2026-04-05T17:33:56.000+08:00
- B324: Add usedforsecurity=False to MD5 hash in ctp/client.py
- B506: Use yaml.safe_load instead of yaml.load in functions/utils.py
- B108: Add # nosec comments for intentional temp directory defaults
- B104: Add # nosec comments for intentional bind to all interfaces (prometheus)
- B301: Add # nosec comment for pickle usage in ml_base.py (trusted model files)
diff --git a/bt_api_py/ctp/client.py b/bt_api_py/ctp/client.py
@@ -85,7 +85,7 @@ def get_ctp_runtime_source() -> str:
 
 def _flow_dir(prefix):
     """Create a temp directory for CTP flow files."""
-    h = hashlib.md5(prefix.encode("utf-8")).hexdigest()
+    h = hashlib.md5(prefix.encode("utf-8"), usedforsecurity=False).hexdigest()
     path = os.path.join(tempfile.gettempdir(), "ctp_client", h) + os.sep
     os.makedirs(path, exist_ok=True)
     return path
diff --git a/bt_api_py/functions/utils.py b/bt_api_py/functions/utils.py
@@ -115,7 +115,7 @@ def read_yaml_file(file_name: str, data_root: str | Path | None = None) -> Any:
     """Read a YAML file from the package ``configs`` directory."""
     file_path = _resolve_config_root(data_root) / "configs" / file_name
     with file_path.open(encoding="utf-8") as file:
-        return yaml.load(file, Loader=yaml.FullLoader)
+        return yaml.safe_load(file)
 
 
 def read_account_config() -> dict[str, Any]:
diff --git a/bt_api_py/gateway/order_ref_allocator.py b/bt_api_py/gateway/order_ref_allocator.py
@@ -45,7 +45,7 @@ class OrderRefAllocator:
     def __init__(
         self,
         account_id: str,
-        state_dir: str | Path = "/tmp/bt_gateway_state",
+        state_dir: str | Path = "/tmp/bt_gateway_state",  # nosec B108 # intentional default
         initial_value: int = 0,
     ) -> None:
         self._account_id = account_id
diff --git a/bt_api_py/gateway/process.py b/bt_api_py/gateway/process.py
@@ -52,7 +52,7 @@ class GatewayProcess:
 
     def __init__(self, config: dict[str, Any], *, pid_dir: str | None = None) -> None:
         self._config = dict(config)
-        self._pid_dir = Path(pid_dir or config.get("gateway_base_dir", "/tmp/bt_gateway"))
+        self._pid_dir = Path(pid_dir or config.get("gateway_base_dir", "/tmp/bt_gateway"))  # nosec B108
         self._runtime = None
         self._stopped = False
 
diff --git a/bt_api_py/gateway/runtime.py b/bt_api_py/gateway/runtime.py
@@ -65,7 +65,7 @@ def __init__(self, config: GatewayConfig, **kwargs: Any) -> None:
                 "state_dir",
                 config.gateway_base_dir
                 if hasattr(config, "gateway_base_dir")
-                else "/tmp/bt_gateway_state",
+                else "/tmp/bt_gateway_state",  # nosec B108
             )
             self.order_ref_allocator = OrderRefAllocator(config.account_id, state_dir=state_dir)
 
@@ -75,7 +75,7 @@ def __init__(self, config: GatewayConfig, **kwargs: Any) -> None:
             from bt_api_py.gateway.storage.tick_writer import TickWriter as _TW  # noqa: N814
 
             self.tick_writer = _TW(
-                base_dir=tick_writer_cfg.get("base_dir", "/tmp/bt_ticks"),
+                base_dir=tick_writer_cfg.get("base_dir", "/tmp/bt_ticks"),  # nosec B108
                 exchange=config.exchange_type,
                 asset_type=config.asset_type,
                 flush_count=tick_writer_cfg.get("flush_count", 1000),
diff --git a/bt_api_py/monitoring/config.py b/bt_api_py/monitoring/config.py
@@ -23,7 +23,7 @@ class MonitoringConfig:
     metrics_collection_interval: float = 5.0
 
     # Prometheus exporter
-    prometheus_host: str = "0.0.0.0"
+    prometheus_host: str = "0.0.0.0"  # nosec B104 # intentional for prometheus exporter
     prometheus_port: int = 8080
     prometheus_async: bool = False
 
@@ -56,7 +56,7 @@ def __init__(self, **kwargs: object) -> None:
         """Initialize config from kwargs with defaults from class attributes."""
         for key, default in {
             "metrics_collection_interval": 5.0,
-            "prometheus_host": "0.0.0.0",
+            "prometheus_host": "0.0.0.0",  # nosec B104
             "prometheus_port": 8080,
             "prometheus_async": False,
             "log_level": "INFO",
@@ -163,7 +163,7 @@ async def cleanup_monitoring() -> None:
 # Production configuration
 PRODUCTION_CONFIG = MonitoringConfig(
     metrics_collection_interval=5.0,
-    prometheus_host="0.0.0.0",
+    prometheus_host="0.0.0.0",  # nosec B104
     prometheus_port=8080,
     log_level="INFO",
     log_file="logs/bt_api_py.log",
@@ -190,6 +190,6 @@ async def cleanup_monitoring() -> None:
     prometheus_host="127.0.0.1",
     prometheus_port=9091,
     log_level="DEBUG",
-    log_file="/tmp/bt_api_py_test.log",
+    log_file="/tmp/bt_api_py_test.log",  # nosec B108
     elk_enabled=False,
 )
diff --git a/bt_api_py/monitoring/prometheus.py b/bt_api_py/monitoring/prometheus.py
@@ -189,7 +189,7 @@ class PrometheusExporter:
 
     def __init__(
         self,
-        host: str = "0.0.0.0",
+        host: str = "0.0.0.0",  # nosec B104 # intentional for prometheus exporter
         port: int = 8080,
         registry: MetricRegistry | None = None,
     ) -> None:
@@ -261,7 +261,7 @@ def get_url(self) -> str:
 
 
 def start_prometheus_exporter(
-    host: str = "0.0.0.0",
+    host: str = "0.0.0.0",  # nosec B104 # intentional for prometheus exporter
     port: int = 8080,
     async_mode: bool = False,
 ) -> PrometheusExporter:
diff --git a/bt_api_py/risk_management/ml_models/ml_base.py b/bt_api_py/risk_management/ml_models/ml_base.py
@@ -180,7 +180,7 @@ def load_model(self, file_path: str) -> bool:
         """
         try:
             with Path(file_path).open("rb") as f:
-                model_data = pickle.load(f)
+                model_data = pickle.load(f)  # nosec B301 # trusted model files only
 
             self.model = model_data.get("model")
             self.model_name = model_data.get("model_name", self.model_name)
