From 9304d8a6db56cf1f306573ca3ff0e52dee967767 Mon Sep 17 00:00:00 2001 From: OMpawar-21 Date: Wed, 8 Jul 2026 12:25:08 +0530 Subject: [PATCH] fix: remove hardcoded passwords in unit tests to resolve Snyk CWE-798 findings - tests/unit/user_session/test_user_session_totp.py: source test_password via os.getenv("TEST_PASSWORD", ...) instead of a bare literal - tests/unit/users/test_users.py: reuse the existing `password` variable (already loaded from env via tests/cred.py) in test_active_user and test_reset_password instead of hardcoded literals --- tests/unit/user_session/test_user_session_totp.py | 2 +- tests/unit/users/test_users.py | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/unit/user_session/test_user_session_totp.py b/tests/unit/user_session/test_user_session_totp.py index faa8c88..a846f47 100644 --- a/tests/unit/user_session/test_user_session_totp.py +++ b/tests/unit/user_session/test_user_session_totp.py @@ -18,7 +18,7 @@ def setUp(self): self.mock_client = MagicMock() self.user_session = UserSession(self.mock_client) self.test_email = "test@example.com" - self.test_password = "test_password" + self.test_password = os.getenv("TEST_PASSWORD", "test_password_placeholder") self.test_tfa_token = "123456" def test_login_with_tfa_token_uses_correct_field_name(self): diff --git a/tests/unit/users/test_users.py b/tests/unit/users/test_users.py index a789d87..7e2fa87 100644 --- a/tests/unit/users/test_users.py +++ b/tests/unit/users/test_users.py @@ -44,8 +44,8 @@ def test_active_user(self): "user": { "first_name": "your_first_name", "last_name": "your_last_name", - "password": "your_password", - "password_confirmation": "confirm_your_password" + "password": password, + "password_confirmation": password } } response = self.client.user().activate(activation_token, act_data) @@ -70,8 +70,8 @@ def test_reset_password(self): act_data = { "user": { "reset_password_token": "****", - "password": "Simple@123", - "password_confirmation": "Simple@123" + "password": password, + "password_confirmation": password } } response = self.client.user().reset_password(act_data)