From 97bf9558202fb326756eefc68befb33aba72ec5e Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Sun, 18 Jan 2026 10:04:27 +0100
Subject: [PATCH] tests: fix ruff lint errors in security tests

---
 tests/security/cli_security_audit.py | 18 +++++++++---------
 tests/security/dos_memory_test.py    |  2 +-
 tests/security/headers_audit.py      |  2 +-
 tests/security/pentest_session.py    | 14 ++++++--------
 tests/security/profiled_server.py    |  4 ++--
 5 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/tests/security/cli_security_audit.py b/tests/security/cli_security_audit.py
index 384374b..d405b92 100644
--- a/tests/security/cli_security_audit.py
+++ b/tests/security/cli_security_audit.py
@@ -10,7 +10,7 @@ from pathlib import Path
 # Load fpaste as a module by exec
 fpaste_path = Path("/home/user/git/flaskpaste/fpaste")
 fpaste_globals = {"__name__": "fpaste", "__file__": str(fpaste_path)}
-exec(compile(fpaste_path.read_text(), fpaste_path, "exec"), fpaste_globals)
+exec(compile(fpaste_path.read_text(), fpaste_path, "exec"), fpaste_globals)  # noqa: S102
 
 # Import from loaded module
 TRUSTED_CLIPBOARD_DIRS = fpaste_globals["TRUSTED_CLIPBOARD_DIRS"]
@@ -39,10 +39,10 @@ def test_trusted_path_validation():
 
     # Test untrusted paths
     untrusted_tests = [
-        ("/tmp/xclip", False, "tmp directory"),
+        ("/tmp/xclip", False, "tmp directory"),  # noqa: S108
         ("/home/user/bin/xclip", False, "user bin"),
         ("./xclip", False, "current directory"),
-        ("/var/tmp/malicious", False, "var tmp"),
+        ("/var/tmp/malicious", False, "var tmp"),  # noqa: S108
         ("/home/attacker/.local/bin/xclip", False, "user local"),
     ]
 
@@ -64,7 +64,7 @@ def test_path_injection():
     print("=" * 50)
 
     # Create a malicious "xclip" in /tmp
-    malicious_path = Path("/tmp/xclip")
+    malicious_path = Path("/tmp/xclip")  # noqa: S108
     try:
         malicious_path.write_text("#!/bin/sh\necho 'PWNED' > /tmp/pwned\n")
         malicious_path.chmod(0o755)
@@ -73,7 +73,7 @@ def test_path_injection():
         original_path = os.environ.get("PATH", "")
 
         # Prepend /tmp to PATH (attacker-controlled)
-        os.environ["PATH"] = f"/tmp:{original_path}"
+        os.environ["PATH"] = f"/tmp:{original_path}"  # noqa: S108
 
         # Try to find clipboard command
         cmd = find_clipboard_command(CLIPBOARD_READ_COMMANDS)
@@ -86,7 +86,7 @@ def test_path_injection():
             return True
 
         # Check if it's using the malicious path
-        if cmd[0] == str(malicious_path) or cmd[0] == "/tmp/xclip":
+        if cmd[0] == str(malicious_path) or cmd[0] == "/tmp/xclip":  # noqa: S108
             print("  FAIL: Malicious /tmp/xclip was selected!")
             print(f"       Command: {cmd}")
             return False
@@ -125,9 +125,9 @@ def test_subprocess_safety():
     # Check subprocess.run uses list
     run_calls = re.findall(r"subprocess\.run\(([^)]+)\)", content)
     for call in run_calls:
-        if not call.strip().startswith("[") and not call.strip().startswith("cmd"):
-            if "cmd" not in call:  # Allow variable names like 'cmd'
-                issues.append(f"Possible string command in subprocess.run: {call[:50]}")
+        stripped = call.strip()
+        if not stripped.startswith("[") and not stripped.startswith("cmd") and "cmd" not in call:
+            issues.append(f"Possible string command in subprocess.run: {call[:50]}")
 
     if issues:
         for issue in issues:
diff --git a/tests/security/dos_memory_test.py b/tests/security/dos_memory_test.py
index f144a19..bf27e25 100644
--- a/tests/security/dos_memory_test.py
+++ b/tests/security/dos_memory_test.py
@@ -31,7 +31,7 @@ def test_antiflood_memory():
         max_entries = app.config.get("ANTIFLOOD_MAX_ENTRIES", 10000)
         print(f"  Max entries config: {max_entries}")
 
-        for i in range(20000):
+        for _ in range(20000):
             record_antiflood_request()
 
         list_size = len(_antiflood_requests)
diff --git a/tests/security/headers_audit.py b/tests/security/headers_audit.py
index 0a2dc4b..ba5f191 100644
--- a/tests/security/headers_audit.py
+++ b/tests/security/headers_audit.py
@@ -47,7 +47,7 @@ def run_audit():
 
     results = {"passed": 0, "failed": 0, "warnings": 0}
 
-    for endpoint, method, expected_status in TEST_ENDPOINTS:
+    for endpoint, method, _expected_status in TEST_ENDPOINTS:
         print(f"\n[{method} {endpoint}]")
         print("-" * 40)
 
diff --git a/tests/security/pentest_session.py b/tests/security/pentest_session.py
index 5ee8a2c..5c03b29 100644
--- a/tests/security/pentest_session.py
+++ b/tests/security/pentest_session.py
@@ -16,9 +16,9 @@ BASE_URL = "http://127.0.0.1:5099"
 def request(url, method="GET", data=None, headers=None):
     """Make HTTP request."""
     headers = headers or {}
-    req = urllib.request.Request(url, data=data, headers=headers, method=method)
+    req = urllib.request.Request(url, data=data, headers=headers, method=method)  # noqa: S310
     try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
+        with urllib.request.urlopen(req, timeout=30) as resp:  # noqa: S310
             return resp.status, resp.read(), dict(resp.headers)
     except urllib.error.HTTPError as e:
         return e.code, e.read(), dict(e.headers)
@@ -86,7 +86,7 @@ def run_tests():
     print("\n[Phase 1] Reconnaissance")
     print("-" * 40)
 
-    status, body, headers = request(f"{BASE_URL}/")
+    status, body, _ = request(f"{BASE_URL}/")
     log_test("GET / returns API info", status == 200)
 
     status, body, _ = request(f"{BASE_URL}/health")
@@ -225,7 +225,7 @@ def run_tests():
         status, body, _ = request(f"{BASE_URL}/", "POST", payload.encode(), pow_headers)
         if status == 201:
             data = json.loads(body)
-            status2, content, _ = request(f"{BASE_URL}/{data['id']}/raw")
+            _, content, _ = request(f"{BASE_URL}/{data['id']}/raw")
             log_test("SSTI payload stored safely", b"49" not in content)
             paste_ids.append(data["id"])
             pow_headers = get_pow_headers()
@@ -233,7 +233,7 @@ def run_tests():
     # XSS in content
     xss_payload = b"<script>alert('xss')</script>"
     pow_headers = get_pow_headers()
-    status, body, headers = request(f"{BASE_URL}/", "POST", xss_payload, pow_headers)
+    status, body, _ = request(f"{BASE_URL}/", "POST", xss_payload, pow_headers)
     if status == 201:
         data = json.loads(body)
         status, content, resp_headers = request(f"{BASE_URL}/{data['id']}/raw")
@@ -261,11 +261,9 @@ def run_tests():
     print("-" * 40)
 
     # Make many rapid requests
-    hit_limit = False
-    for i in range(100):
+    for _ in range(100):
         status, _, _ = request(f"{BASE_URL}/health")
         if status == 429:
-            hit_limit = True
             break
     log_test("Rate limiting active on reads", True)  # May or may not hit
 
diff --git a/tests/security/profiled_server.py b/tests/security/profiled_server.py
index 3e6ae38..65cc25f 100644
--- a/tests/security/profiled_server.py
+++ b/tests/security/profiled_server.py
@@ -14,8 +14,8 @@ from app import create_app
 
 # Global profiler
 profiler = cProfile.Profile()
-profile_output = "/tmp/flaskpaste_profile.prof"
-stats_output = "/tmp/flaskpaste_profile_stats.txt"
+profile_output = "/tmp/flaskpaste_profile.prof"  # noqa: S108
+stats_output = "/tmp/flaskpaste_profile_stats.txt"  # noqa: S108
 
 
 def save_profile():