MNT: Add and review security checks

Author: effigies

pyproject.toml

@@ -145,11 +145,16 @@ extend-select = [
   "A",
   "I",
   "UP",
+  "YTT",
+  "S",
   "B",
 ]
 
 [tool.ruff.flake8-quotes]
 inline-quotes = "single"
 
+[tool.ruff.extend-per-file-ignores]
+"*/test_*.py" = ["S101"]
+
 [tool.ruff.format]
 quote-style = "single"

smriprep/cli/run.py

@@ -482,7 +482,7 @@ def build_workflow(opts, retval):
 
     # Load base plugin_settings from file if --use-plugin
     if opts.use_plugin is not None:
-        from yaml import load as loadyml
+        from yaml import safe_load as loadyml
 
         with open(opts.use_plugin) as f:
             plugin_settings = loadyml(f)
@@ -651,7 +651,7 @@ def build_workflow(opts, retval):
         str(log_dir / 'CITATION.html'),
     ]
     try:
-        check_call(cmd, timeout=10)
+        check_call(cmd, timeout=10)  # noqa: S603
     except (FileNotFoundError, CalledProcessError, TimeoutExpired):
         logger.warning('Could not generate CITATION.html file:\n%s', ' '.join(cmd))
 
@@ -667,7 +667,7 @@ def build_workflow(opts, retval):
         str(log_dir / 'CITATION.tex'),
     ]
     try:
-        check_call(cmd, timeout=10)
+        check_call(cmd, timeout=10)  # noqa: S603
     except (FileNotFoundError, CalledProcessError, TimeoutExpired):
         logger.warning('Could not generate CITATION.tex file:\n%s', ' '.join(cmd))
     else:

smriprep/workflows/surfaces.py

@@ -1611,7 +1611,8 @@ def _extract_fs_fields(filenames: str | list[str]) -> tuple[str, str]:
     paths = [Path(fn) for fn in filenames]
     sub_dir = paths[0].parent.parent
     subjects_dir, subject_id = sub_dir.parent, sub_dir.name
-    assert all(path == subjects_dir / subject_id / 'surf' / path.name for path in paths)
+    if not all(path.parent.parent == sub_dir for path in paths):
+        raise ValueError(f'Expected surface files from one subject.\nReceived: {filenames}')
     return str(subjects_dir), subject_id