From 89db6d2899dc5bc761d1d6bfbcc02728849e7b67 Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Wed, 30 Jul 2025 14:00:39 +0200
Subject: [PATCH] Configure bandit for 'spoils' usage

i.e. B380: No os.path.join misuse.

See https://github.com/bugsink/spoils

rather than think-carefully-and-explain-with-nosec, just switch to
safe_join: this saves future readers the pain of validating whether
all assumptions are (still) correct at a (small) performance cost.

See #175
---
 .github/workflows/ci.yml        | 4 ++--
 bugsink/settings/development.py | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3422dbd..c33992d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,9 +51,9 @@ jobs:
         with:
           python-version: 3.12
 
-      - name: Install Bandit
+      - name: Install Bandit and Plugins
         run: |
-          pip install bandit
+          pip install bandit spoils
 
       - name: Run Bandit and format results
         shell: bash
diff --git a/bugsink/settings/development.py b/bugsink/settings/development.py
index 504b2e3..31ea1c9 100644
--- a/bugsink/settings/development.py
+++ b/bugsink/settings/development.py
@@ -3,6 +3,7 @@ from .default import BASE_DIR, LOGGING, DATABASES, I_AM_RUNNING
 
 import os
 
+from django.utils._os import safe_join
 from sentry_sdk_extensions.transport import MoreLoudlyFailingTransport
 
 from bugsink.utils import deduce_allowed_hosts, eat_your_own_dogfood
@@ -112,7 +113,7 @@ if not I_AM_RUNNING == "TEST":
         "local_flat_files": {
             "STORAGE": "events.storage.FileEventStorage",
             "OPTIONS": {
-                "basepath": os.path.join(BASE_DIR, "filestorage"),
+                "basepath": safe_join(BASE_DIR, "filestorage"),
             },
             "USE_FOR_WRITE": True,
         },