Fix syntax errors and remove duplicate content across Python files#41
Conversation
There was a problem hiding this comment.
Hi @Copilot! 👋
Your private repo does not have access to Sourcery.
Please upgrade to continue using Sourcery ✨
- Fixed IndentationError in scripts/validate_datasets.py (missing except block body) - Fixed IndentationError in scripts/repo_automation.py (malformed docstring and misplaced for loop) - Fixed SyntaxError in quantum-ai/production/test_api.py (unterminated docstring, duplicate content, duplicate timeout parameter) - Fixed SyntaxError in quantum-ai/production/banknote_api.py (unterminated docstring, duplicate content) - Fixed IndentationError in AI/microsoft_phi-silica-3.6_v1/scripts/train_lora.py (missing pass statement) - Fixed SyntaxError in AI/microsoft_phi-silica-3.6_v1/python mcp.py (duplicate api_version parameter) - Fixed SyntaxWarnings in quantum-ai/train_custom_dataset.py and azure_foundry_deploy.py (invalid escape sequences) Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
There was a problem hiding this comment.
Hi @Bryan-Roe! 👋
Your private repo does not have access to Sourcery.
Please upgrade to continue using Sourcery ✨
| from src.hybrid_qnn import HybridQNN | ||
|
|
||
| app = Flask(__name__) | ||
| CORS(app) # Enable CORS for web clients |
There was a problem hiding this comment.
Risk: Affected versions of Flask-Cors are vulnerable to Improper Access Control. The private network cors header, Access-Control-Allow-Private-Network is always sent with the value true, without any option to configure it. This behavior can potentially expose private network resources to unauthorized external access, leading to significant security risks.
Fix: Upgrade this library to at least version 4.0.2 at Aria/quantum-ai/production/requirements.txt:3.
Reference(s): GHSA-hxwh-jpp2-84pm, CVE-2024-6221
⭐ Removed in commit 51a0ee0 ⭐
| model_path = model_dir / "custom_model.pt" | ||
| if not model_path.exists(): | ||
| raise FileNotFoundError(f"Model not found: {model_path}") | ||
| model.load_state_dict(torch.load(model_path, weights_only=True)) |
There was a problem hiding this comment.
Risk: Affected versions of torch are vulnerable to Deserialization of Untrusted Data. Using torch.load with the weights_only flag does not fully mitigate the risk of deserialization attacks; an attacker who crafts a malicious model file can trigger remote command execution despite the weights_only=True safeguard.
Fix: Upgrade this library to at least version 2.6.0 at Aria/quantum-ai/production/requirements.txt:5.
Reference(s): GHSA-53q9-r3pm-6pq6, CVE-2025-32434
🚀 Removed in commit 51a0ee0 🚀
| # Load metadata | ||
| summary_path = model_dir / "custom_training_summary.json" | ||
| if summary_path.exists(): | ||
| with open(summary_path) as f: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding="utf-8").
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by unspecified-open-encoding.
You can view more details about this finding in the Semgrep AppSec Platform.
| scaler_path = model_dir / "custom_scaler.pkl" | ||
| if not scaler_path.exists(): | ||
| raise FileNotFoundError(f"Scaler not found: {scaler_path}") | ||
| scaler = joblib.load(scaler_path) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Scikit joblib uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. Consider using skops instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by scikit-joblib-load.
You can view more details about this finding in the Semgrep AppSec Platform.
|
Semgrep found 21
The application was found using To remediate this issue, remove the Example using Semgrep found 11
Possibly found usage of AI tooling: PyTorch Semgrep found 8
There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401. Semgrep found 2 Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding="utf-8"). Semgrep found 2 The application was found passing in a non-literal value to the To remediate this issue either hardcode the URLs being used in urllib or use the Example using the Semgrep found 97
Semgrep found a match Semgrep found 2 Untrusted user input in Semgrep found 2 Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. Semgrep found 1 Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. Semgrep found 4
Found identical comparison using is. Ensure this is what you intended. Semgrep found 2 time.sleep() call; did you mean to leave this in? |
There was a problem hiding this comment.
Pull request overview
This PR addresses critical syntax errors and removes substantial duplicate content (~600 lines) across multiple Python files. The changes fix compilation errors that were preventing the repository's Python files from running properly.
Changes:
- Fixed 4 syntax errors: empty except blocks, malformed docstrings, and misplaced code
- Removed complete file duplications in two production API files
- Converted docstrings with Windows paths to raw strings to eliminate escape sequence warnings
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/validate_datasets.py | Added error handler to empty except block for JSON decode errors |
| scripts/repo_automation.py | Fixed malformed docstring and relocated misplaced for loop to correct scope |
| quantum-ai/production/test_api.py | Removed 286 lines of duplicate content and fixed duplicate timeout parameter |
| quantum-ai/production/banknote_api.py | Removed 309 lines of duplicate content and improved security comment |
| AI/microsoft_phi-silica-3.6_v1/scripts/train_lora.py | Added missing pass statement in exception handler |
| quantum-ai/train_custom_dataset.py | Changed docstring to raw string for Windows path escapes |
| AI/microsoft_phi-silica-3.6_v1/azure_foundry_deploy.py | Changed docstring to raw string for Windows path escapes |
|
|
||
| # Start server - default to localhost for security | ||
| # Use BANKNOTE_API_HOST environment variable to override if needed | ||
| host = os.environ.get('BANKNOTE_API_HOST', '127.0.0.1') |
There was a problem hiding this comment.
The os module is used on line 305 (os.environ.get('BANKNOTE_API_HOST', '127.0.0.1')) but is not imported. This will cause a NameError at runtime when the main function is executed. Add import os to the imports section at the top of the file.
Repository had multiple syntax errors preventing compilation and ~600 lines of duplicate content in production files.
Fixed Syntax Errors
api_versionparameter (kept 2024-12-01-preview)Removed Duplicate Content
Both
quantum-ai/production/test_api.pyandbanknote_api.pycontained full file duplications starting at EOF:Removed 595 lines of duplicate code, fixed missing opening docstring quotes, and corrected duplicate
timeoutparameters in request calls.Fixed Warnings
Changed docstrings with Windows paths to raw strings to eliminate invalid escape sequence warnings:
All 266 Python files now compile cleanly.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.