PatchWork AutoFix

[patched-admin]

This pull request from patched fixes 6 issues.

---

• File changed: patchwork/common/tools/csvkit_tool.py
  Use parameterized queries to prevent SQL injection.

  Modified the code to use parameterized queries instead of formatted SQL queries to prevent SQL injection vulnerabilities.

• File changed: patchwork/common/utils/step_typing.py
  Implement whitelist for module imports in validate_step_with_inputs.

  Introduced a whitelist for trusted module paths that can be dynamically imported. This prevents loading arbitrary code by restricting imports to known and trusted modules only.

• File changed: patchwork/app.py
  Restrict importlib.import_module to a whitelist of trusted modules

  Replaced dynamic use of importlib.import_module with a whitelist of allowed modules to prevent loading arbitrary code from untrusted sources.

• File changed: patchwork/common/tools/bash_tool.py
  Fix subprocess shell=True vulnerability by using shell=False.

  Changed the subprocess call to use 'shell=False' and split the command string into a list of arguments.

• File changed: patchwork/steps/CallShell/CallShell.py
  Fix 'subprocess.run' to use 'shell=False' to prevent shell injection vulnerability

  Modified the subprocess.run call to use shell=False and utilized shlex.split() to parse the script command into a list of arguments, reducing the risk of shell injection attacks.

• File changed: patchwork/common/utils/dependency.py
  Implement whitelisting for dynamic module import.

  The code has been modified to use a whitelist of allowed modules, preventing the importation of arbitrary modules via importlib.import_module().