Fixes bandit failures

Auto-formatters moves "# nosec" markers in assertions

Author: pcrespov

services/web/server/src/simcore_service_webserver/application_config.py

@@ -9,12 +9,12 @@
 
     The app configuration is created before the application instance exists.
 
-
-TODO: add more strict checks with re
-TODO: add support for versioning.
-    - check shema fits version
-    - parse/format version in schema
 """
+# TODO: add more strict checks with re
+# TODO: add support for versioning.
+#    - check shema fits version
+#    - parse/format version in schema
+
 import logging
 from pathlib import Path
 from typing import Dict
@@ -101,9 +101,9 @@ def create_schema() -> T.Dict:
 
     section_names = [k.name for k in schema.keys]
 
-    assert len(section_names) == len(set(section_names)), (
-        "Found repeated section names in %s" % section_names
-    )  # nosec
+    # fmt: off
+    assert len(section_names) == len(set(section_names)), f"Found repeated section names in {section_names}"  # nosec
+    # fmt: on
 
     return schema
 
@@ -113,4 +113,4 @@ def load_default_config(environs=None) -> Dict:
     return read_and_validate(filepath, trafaret=app_schema, vars=environs)
 
 
-app_schema = create_schema()  # TODO: rename as schema
+app_schema = create_schema()

services/web/server/src/simcore_service_webserver/diagnostics_monitoring.py

@@ -45,9 +45,9 @@ async def _middleware_handler(request: web.Request, handler):
             resp = await handler(request)
             log_exception = None
 
-            assert isinstance(
-                resp, web.StreamResponse
-            ), "Forgot envelope middleware?"  # nsec
+            # fmt: off
+            assert isinstance(resp, web.StreamResponse), "Forgot envelope middleware?"  # nsec
+            # fmt: om
 
         except web.HTTPServerError as exc:
             # Transforms exception into response object and log exception

services/web/server/src/simcore_service_webserver/login/sql.py

@@ -1,5 +1,7 @@
 from logging import getLogger
 
+# FIXME: Possible SQL injection vector through string-based query construction.
+
 log = getLogger(__name__)
 LOG_TPL = "%s <--%s"
 
@@ -20,7 +22,7 @@ def find_one_sql(table, filter_, fields=None):
     keys, values = _split_dict(filter_)
     fields = ", ".join(fields) if fields else "*"
     where = _pairs(keys)
-    sql = "SELECT {} FROM {} WHERE {}".format(fields, table, where)
+    sql = "SELECT {} FROM {} WHERE {}".format(fields, table, where)  # nosec
     return sql, values
 
 
@@ -42,7 +44,7 @@ def insert_sql(table, data, returning="id"):
     ('INSERT INTO tbl (foo, id) VALUES ($1, $2) RETURNING pk', ['bar', 1])
     """
     keys, values = _split_dict(data)
-    sql = "INSERT INTO {} ({}) VALUES ({}){}".format(
+    sql = "INSERT INTO {} ({}) VALUES ({}){}".format( # nosec
         table,
         ", ".join(keys),
         ", ".join(_placeholders(data)),
@@ -66,7 +68,7 @@ def update_sql(table, filter_, updates):
     up_keys, up_vals = _split_dict(updates)
     changes = _pairs(up_keys, sep=", ")
     where = _pairs(where_keys, start=len(up_keys) + 1)
-    sql = "UPDATE {} SET {} WHERE {}".format(table, changes, where)
+    sql = "UPDATE {} SET {} WHERE {}".format(table, changes, where)  # nosec
     return sql, up_vals + where_vals
 
 
@@ -83,7 +85,7 @@ def delete_sql(table, filter_):
     """
     keys, values = _split_dict(filter_)
     where = _pairs(keys)
-    sql = "DELETE FROM {} WHERE {}".format(table, where)
+    sql = "DELETE FROM {} WHERE {}".format(table, where)  # nosec
     return sql, values