PatchWork AutoFix

[patched-admin]

This pull request from patched fixes 6 issues.

---

• File changed: patchwork/common/tools/csvkit_tool.py
  Fix SQL Injection vulnerability by using parameterized queries

  Replaced formatted SQL query with parameterized query to prevent SQL Injection. argparse is used for input and sqlalchemy for executing parameterized queries.

• File changed: patchwork/common/utils/step_typing.py
  Added module whitelist to secure dynamic imports in validate_step_with_inputs

  Introduced a whitelist of allowed module paths to ensure that only trusted modules are dynamically imported with importlib.import_module().

• File changed: patchwork/app.py
  Restrict dynamic imports to whitelisted modules to prevent code injection vulnerabilities

  Introduced a whitelist of valid modules to restrict dynamic imports. The importlib.import_module() function now checks against this list to prevent loading arbitrary modules, mitigating the risk of executing untrusted code.

• File changed: patchwork/common/tools/bash_tool.py
  Remove shell=True from subprocess.run for security

  Modified subprocess.run call to use shell=False to prevent command injection through shell interpretation.

• File changed: patchwork/steps/CallShell/CallShell.py
  Fix subprocess shell=True vulnerability in CallShell step

  Changed subprocess.run to use shell=False and split the script into arguments using shlex.split to avoid shell injection vulnerabilities.

• File changed: patchwork/common/utils/dependency.py
  Implement whitelist for secure import using importlib.import_module().

  Introduced a whitelist to ensure only trusted, predefined modules from the __DEPENDENCY_GROUPS can be imported, preventing arbitrary code execution by validating input against a controlled list.