Fix all open code scanning alerts: weak PRNG, bare asserts, swallowed exceptions

[Copilot]

Six open code scanning alerts (CWE-338, CWE-703) across four files. All fixed with minimal, targeted changes that preserve existing behavior.

Changes

summarizer.py — CWE-338: Cryptographically weak PRNG

• random.randint(1000000, 99999999) → secrets.randbelow(89000000) + 1000000
• random is predictable; secrets uses the OS CSPRNG. Numeric format preserved.

loaders.py · base.py · extractors.py — CWE-703: assert used for runtime checks

• Three assert statements replaced with explicit raise ValueError / raise TypeError
• assert is silently stripped under python -O, making the checks disappear in optimized bytecode

extractors.py — CWE-703: Bare except Exception: pass

• Two silent swallow blocks in ExtractTextAfter and ExtractTextBefore replaced with except Exception as exc: logger.debug(...)
• Resilient-processing behavior is preserved; failures are now visible at debug level

# Before — predictable, not CSPRNG
'input_id': f'{random.randint(1000000, 99999999)}'

# After — cryptographically strong, same numeric format
'input_id': str(secrets.randbelow(89000000) + 1000000)

Original prompt

Fix all currently open GitHub code scanning alerts in repository Clarifai/clarifai-python-datautils and open a pull request with the remediations.

Requirements:

• Enumerate all open code scanning alerts and address each one in code.
• Apply secure coding best practices appropriate to each alert type (e.g., command injection, path traversal, unsafe deserialization, weak cryptography, etc.).
• Prefer minimal, targeted changes that preserve existing behavior while removing the vulnerability.
• Update tests as needed and add new tests for security-sensitive behavior where coverage is missing.
• Ensure linting and test suites pass.
• Include a clear PR description summarizing each alert fixed and the exact remediation.
• If any alert is clearly a false positive, document rationale in the PR and suppress only when justified.

Deliverable:

• A pull request from a new branch to the default branch containing fixes for all open code scanning issues.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: fix all the code scanning issues

Assistant: I can do that, but I need one clarification first: which repository should I fix?

The URL payload you sent (Clarifai/clarifai-python-datautils/security/code-scanning) looks like a shorthand route, but I need the explicit repo confirmed in owner/repo format before making changes.

If it is this, please confirm:

• Clarifai/clarifai-python-datautils

Also, do you want me to open a PR with all fixes once done?

User: Yes this is the repo and open a PR to fix them

Assistant: I’m waiting on your confirmation in the approval dialog to proceed with creating the PR and applying the code-scanning fixes.

This pull request was created from Copilot chat.

[Copilot]

Pull request overview

This PR addresses GitHub code scanning alerts (CWE-338, CWE-703) by replacing a weak PRNG usage with a CSPRNG and replacing runtime assert checks / swallowed exceptions with explicit exceptions and debug logging.

Changes:

• Replaced random.randint(...) with secrets.randbelow(...) when generating input_id for image summarization.
• Replaced runtime assert statements with explicit ValueError / TypeError raises to ensure checks remain enforced under python -O.
• Replaced except Exception: pass blocks in extractors with logger.debug(...) to avoid silent exception swallowing while preserving resilient behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
clarifai_datautils/multimodal/pipeline/summarizer.py	Switches input_id generation from random to secrets for stronger randomness.
clarifai_datautils/multimodal/pipeline/extractors.py	Replaces a runtime assert with ValueError and logs previously swallowed exceptions at debug level.
clarifai_datautils/multimodal/pipeline/base.py	Replaces a runtime assert with a TypeError for invalid files input type.
clarifai_datautils/image/annotation_conversion/loaders.py	Replaces a runtime assert with a ValueError for mismatched bbox/concept counts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.