PatchWork AutoFix

[patched-admin]

This pull request from patched fixes 6 issues.

---

• File changed: patchwork/common/tools/csvkit_tool.py
  Use parameterized queries to prevent SQL injection in execute method

  Modified SQL query construction to use parameterized query with sqlite3 to prevent possible SQL injection vulnerability.

• File changed: patchwork/common/utils/step_typing.py
  Add whitelist for module import to prevent untrusted code execution

  The code has been updated to use a whitelist of allowed modules when importing using importlib.import_module(). This prevents untrusted code from being executed by ensuring only modules in the whitelist can be imported.

• File changed: patchwork/app.py
  Add input validation with whitelist for importlib.import_module to prevent arbitrary code execution

  A whitelist is introduced to validate the module paths before using importlib.import_module(). Only whitelisted module names are allowed to be dynamically imported, preventing unauthorized and potentially harmful code execution.

• File changed: patchwork/common/tools/bash_tool.py
  Set 'shell=False' in subprocess call for security

  Modified the subprocess.run call to use 'shell=False' for increased security, and adjusted to pass the command as a list rather than a string to avoid shell injection vulnerabilities.

• File changed: patchwork/steps/CallShell/CallShell.py
  Remove use of shell=True in subprocess.run

  Replaced the usage of subprocess.run with shell=True to use shell=False and shlex.split to safely parse the command string into a sequence of commands.

• File changed: patchwork/common/utils/dependency.py
  Fix untrusted input vulnerability in import_module by using a whitelist approach

  The code now introduces a whitelist of allowed modules from predefined dependency groups to safely use in importlib.import_module().