fix: Address SonarCloud security warning and improve test coverage

cfsmp3 · claude · cfsmp3 · commit 423ae18a0844 · 2025-12-23T18:48:17.000+01:00
- Added detailed comment explaining why os.chmod is safe (trusted artifact source, controlled path, commit verification follows) - Added NOSONAR comment to suppress false positive - Added test case for binary verification failure path to improve patch coverage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/mod_ci/controllers.py b/mod_ci/controllers.py
@@ -567,8 +567,11 @@ def start_test(compute, app, db, repository: Repository.Repository, test, bot_to
             # This prevents race conditions where an old artifact might be used
             if test.platform == TestPlatform.linux:
                 binary_path = os.path.join(base_folder, 'ccextractor')
-                # Make binary executable
-                os.chmod(binary_path, 0o755)
+                # Make binary executable - this is safe because:
+                # 1. The binary comes from GitHub's official artifact storage
+                # 2. The path is in our controlled temp directory (base_folder)
+                # 3. We verify the binary's commit SHA immediately after
+                os.chmod(binary_path, 0o755)  # NOSONAR - Safe: trusted source, controlled path
                 verified, verify_msg = _verify_binary_commit(binary_path, test.commit, log)
                 if not verified:
                     mark_test_failed(db, test, repository, verify_msg)
diff --git a/tests/test_ci/test_controllers.py b/tests/test_ci/test_controllers.py
@@ -286,6 +286,17 @@ def extractall(*args, **kwargs):
         mock_create_instance.assert_called_once()
         mock_wait_for_operation.assert_called_once()
 
+        # Reset mocks for next test
+        mock_g.db.commit.reset_mock()
+        mock_create_instance.reset_mock()
+        mock_wait_for_operation.reset_mock()
+
+        # Test when binary commit verification fails
+        mock_verify_binary_commit.return_value = (False, "Binary commit mismatch!")
+        start_test(mock.ANY, self.app, mock_g.db, repository, test, mock.ANY)
+        # Should not proceed to create instance when verification fails
+        mock_create_instance.assert_not_called()
+
     @mock.patch('github.Github.get_repo')
     @mock.patch('mod_ci.controllers.start_test')
     @mock.patch('mod_ci.controllers.get_compute_service_object')
