From 06d45a3ff4792786c24d7459b1143bcfe6523626 Mon Sep 17 00:00:00 2001 From: Prekzursil Date: Fri, 5 Jun 2026 09:12:48 +0300 Subject: [PATCH 1/2] style: ruff F401/F841 autofix (15 CodeQL findings) Leveraged single-rule transform for the Quality-Zero-Platform drive-to-zero campaign. Removes dead code that CodeQL flags as unused, behavior-preserving: - 14x py/unused-import (F401): ruff check --select F401 --fix, scoped to backend/ with --exclude venv. Removes genuinely-dead imports across serializers, views, tasks, tests, urls and adapters. - 1x py/unused-local-variable (F841): removed `user = request.user` dead store in PasswordChangeView.post (pure RHS, never read; auth already enforced by IsAuthenticated permission class). Verification: `ruff check backend --exclude venv --select F401` clean; `python -m compileall` clean on all 11 changed files. No venv files touched (the committed backend/venv purge is handled separately in PR #78). --- backend/problems/serializers.py | 1 - backend/problems/tests.py | 1 - backend/problems/views.py | 2 +- backend/submissions/judge_utils/comparison.py | 1 - backend/submissions/judge_utils/execution.py | 1 - backend/submissions/serializers.py | 2 +- backend/submissions/tasks.py | 4 ---- backend/submissions/tests.py | 1 - backend/users/adapters.py | 1 - backend/users/urls.py | 2 +- backend/users/views.py | 1 - 11 files changed, 3 insertions(+), 14 deletions(-) diff --git a/backend/problems/serializers.py b/backend/problems/serializers.py index bd973096..d3475f52 100644 --- a/backend/problems/serializers.py +++ b/backend/problems/serializers.py @@ -1,4 +1,3 @@ -from django.conf import settings from django.contrib.auth import get_user_model # Import get_user_model from rest_framework import serializers from .models import Tag, Problem, TestCase diff --git a/backend/problems/tests.py b/backend/problems/tests.py index 7ce503c2..49290204 100644 --- a/backend/problems/tests.py +++ b/backend/problems/tests.py @@ -1,3 +1,2 @@ -from django.test import TestCase # Create your tests here. diff --git a/backend/problems/views.py b/backend/problems/views.py index ccbc8fa7..92423b12 100644 --- a/backend/problems/views.py +++ b/backend/problems/views.py @@ -5,7 +5,7 @@ from .models import Tag, Problem, TestCase from .serializers import TagSerializer, ProblemSerializer, ProblemDetailSerializer, TestCaseSerializer from users.models import User -from users.permissions import IsAdminUser, IsProblemCreator, IsProblemVerifier, ProblemObjectPermissions +from users.permissions import IsProblemCreator, IsProblemVerifier, ProblemObjectPermissions class TagViewSet(viewsets.ModelViewSet): diff --git a/backend/submissions/judge_utils/comparison.py b/backend/submissions/judge_utils/comparison.py index 3b05cdb2..951c245a 100644 --- a/backend/submissions/judge_utils/comparison.py +++ b/backend/submissions/judge_utils/comparison.py @@ -1,4 +1,3 @@ -import pathlib # Not strictly needed by this function but good for consistency if other utils use it from problems.models import Problem # For Problem.ComparisonMode def compare_outputs( diff --git a/backend/submissions/judge_utils/execution.py b/backend/submissions/judge_utils/execution.py index a825d3e2..e0a5ca39 100644 --- a/backend/submissions/judge_utils/execution.py +++ b/backend/submissions/judge_utils/execution.py @@ -1,6 +1,5 @@ import pathlib import subprocess -import random from django.conf import settings # Import Django settings from ..models import Submission diff --git a/backend/submissions/serializers.py b/backend/submissions/serializers.py index 9b49fac8..3a34a1cc 100644 --- a/backend/submissions/serializers.py +++ b/backend/submissions/serializers.py @@ -1,7 +1,7 @@ from rest_framework import serializers from .models import Submission, SubmissionTestResult # Import SubmissionTestResult from users.serializers import UserSerializer -from problems.models import Problem, TestCase # Import TestCase for SubmissionTestResultSerializer +from problems.models import Problem # Import TestCase for SubmissionTestResultSerializer class SubmissionTestResultSerializer(serializers.ModelSerializer): # test_case_id = serializers.ReadOnlyField(source='test_case.id') # Simple ID diff --git a/backend/submissions/tasks.py b/backend/submissions/tasks.py index 73fe1a29..3620161c 100644 --- a/backend/submissions/tasks.py +++ b/backend/submissions/tasks.py @@ -2,12 +2,8 @@ from django.db import transaction from .models import Submission, SubmissionTestResult # Import SubmissionTestResult from problems.models import Problem, TestCase -import time -import random -import subprocess import tempfile import pathlib -import shutil from .judge_utils.comparison import compare_outputs from .judge_utils.compilation import compile_code_in_sandbox diff --git a/backend/submissions/tests.py b/backend/submissions/tests.py index 7ce503c2..49290204 100644 --- a/backend/submissions/tests.py +++ b/backend/submissions/tests.py @@ -1,3 +1,2 @@ -from django.test import TestCase # Create your tests here. diff --git a/backend/users/adapters.py b/backend/users/adapters.py index 683b7dbf..eb3f733a 100644 --- a/backend/users/adapters.py +++ b/backend/users/adapters.py @@ -1,7 +1,6 @@ from allauth.account.adapter import DefaultAccountAdapter from allauth.socialaccount.adapter import DefaultSocialAccountAdapter from django.http import HttpResponseRedirect -from django.urls import reverse class CustomAccountAdapter(DefaultAccountAdapter): def get_login_redirect_url(self, request): diff --git a/backend/users/urls.py b/backend/users/urls.py index b2c2d5eb..210a0876 100644 --- a/backend/users/urls.py +++ b/backend/users/urls.py @@ -1,6 +1,6 @@ from django.urls import path, include from rest_framework.routers import DefaultRouter -from .views import UserRegistrationView, PasswordChangeView, UserMeView, AdminUserViewSet, GoogleLogin, GithubLogin, AdminStatsView, UserViewSet +from .views import UserRegistrationView, PasswordChangeView, UserMeView, AdminUserViewSet, AdminStatsView, UserViewSet app_name = "users" diff --git a/backend/users/views.py b/backend/users/views.py index dfb03800..c9ae1dd7 100644 --- a/backend/users/views.py +++ b/backend/users/views.py @@ -40,7 +40,6 @@ class PasswordChangeView(generics.GenericAPIView): permission_classes = [permissions.IsAuthenticated] def post(self, request, *args, **kwargs): - user = request.user serializer = self.get_serializer(data=request.data, context={'request': request}) if serializer.is_valid(raise_exception=True): serializer.save() From 407cce56c5d722d1cb33abe19381fa62b9f386fc Mon Sep 17 00:00:00 2001 From: Prekzursil Date: Fri, 5 Jun 2026 09:16:54 +0300 Subject: [PATCH 2/2] ci: add least-privilege GITHUB_TOKEN permissions to django workflows (2 findings) Clears 2x actions/missing-workflow-permissions (CodeQL). Both workflows are pure test/lint runners (checkout -> setup-python -> pip install -> compileall/ flake8) that only read the repo; neither pushes, comments, or uploads. Adds a top-level `permissions: contents: read` block to each (least privilege). Part of the Quality-Zero-Platform drive-to-zero campaign. Static YAML only, no toolchain/build needed. --- .github/workflows/django.yml | 3 +++ .github/workflows/django_ci.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/django.yml b/.github/workflows/django.yml index 840a21a4..3409bcf6 100644 --- a/.github/workflows/django.yml +++ b/.github/workflows/django.yml @@ -6,6 +6,9 @@ on: pull_request: branches: ["main", "master"] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/django_ci.yml b/.github/workflows/django_ci.yml index 9311d263..96514403 100644 --- a/.github/workflows/django_ci.yml +++ b/.github/workflows/django_ci.yml @@ -10,6 +10,9 @@ on: paths: - 'backend/**' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest