PatchWork AutoFix

[patched-admin]

This pull request from patched fixes 6 issues.

---

• File changed: patchwork/common/tools/csvkit_tool.py
  Refactor SQL execution to use parameterized queries

  Replaced the SQL query string that was using string concatenation with a parameterized query to prevent SQL injection vulnerabilities.

• File changed: patchwork/common/utils/step_typing.py
  Implement whitelist for secure module loading in validate_step_with_inputs

  Introduced a whitelist to ensure only trusted modules are allowed to be imported, preventing arbitrary code execution through dynamic module names.

• File changed: patchwork/app.py
  Add whitelist for allowed modules in importlib.import_module

  Implemented a whitelist to restrict modules that can be imported using importlib.import_module to prevent execution of untrusted code.

• File changed: patchwork/common/tools/bash_tool.py
  Fix potential command injection vulnerability in BashTool by disabling shell execution

  Replaced the use of subprocess.run with shell=True to shell=False in order to prevent command injection vulnerabilities. The command is now split using shlex.split to safely pass arguments to the subprocess call.

• File changed: patchwork/steps/CallShell/CallShell.py
  Remove shell=True for subprocess.run for security.

  The subprocess.run call has been modified to use shell=False. The script command is split into a list using shlex.split to ensure it can be safely passed as separate arguments to subprocess.run without invoking a shell.

• File changed: patchwork/common/utils/dependency.py
  Implement whitelist to secure import_module usage

  The code now uses a whitelist of allowed module names from the __DEPENDENCY_GROUPS. This prevents loading of arbitrary code through untrusted user input.