AI Fix Prompts for Geodata

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/sql-injection-percent] SQL Injection via % String Formatting)
**File**: geodata/database/Database.py
**Line**: 67
**Severity**: CRITICAL

**Current code around the issue:**
```
      62 |             table_name, ', '.join(columns), question_mark_substr), rows)
      63 | 
      64 |     def debug_output_table(self, table_name):
      65 |         '''Print debug information for a table'''
      66 |         print('%s table:' % table_name, '\n')
>>>   67 |         for row in self.c.execute('SELECT * FROM %s LIMIT 5' % table_name):
      68 |             print(row)
      69 |         print()
      70 | 
      71 |     def debug_output_list(self, list_name):
      72 |         '''Print debug information for a list'''
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/deser-pickle] Insecure Deserialization via pickle)
**File**: geodata/repository/pickle_repository.py
**Line**: 26
**Severity**: CRITICAL

**Current code around the issue:**
```
      21 |             pickle.dump(data_products, f, protocol=pickle.HIGHEST_PROTOCOL)
      22 | 
      23 |     def load_data_products(self):
      24 |         try:
      25 |             with self.path.open('rb') as f:
>>>   26 |                 return pickle.load(f)
      27 |         except FileNotFoundError:
      28 |             raise RuntimeError(f'data product file not found: {self.path}')
      29 |         except EOFError:
      30 |             raise RuntimeError(f'data product file is empty: {self.path}')
      31 |         except pickle.UnpicklingError:
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/deser-pickle] Insecure Deserialization via pickle)
**File**: geodata/repository/sqlite_repository.py
**Line**: 280
**Severity**: CRITICAL

**Current code around the issue:**
```
     275 | 
     276 |         if row is None:
     277 |             raise RuntimeError(f'no data products found in sqlite file: {self.path}')
     278 | 
     279 |         try:
>>>  280 |             return pickle.loads(row[0])
     281 |         except pickle.UnpicklingError:
     282 |             raise RuntimeError(
     283 |                 f'data product payload is corrupted or incompatible: {self.path}'
     284 |             )
     285 |         except Exception as e:
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/deser-pickle] Insecure Deserialization via pickle)
**File**: geodata/repository/sqlite_repository.py
**Line**: 311
**Severity**: CRITICAL

**Current code around the issue:**
```
     306 |             conn.close()
     307 | 
     308 |         if row is None:
     309 |             return None
     310 | 
>>>  311 |         return pickle.loads(row[0])
     312 | 
     313 |     def search_demographic_profiles(self, query, n):
     314 |         if n <= 0:
     315 |             return []
     316 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/deser-pickle] Insecure Deserialization via pickle)
**File**: geodata/repository/sqlite_repository.py
**Line**: 344
**Severity**: CRITICAL

**Current code around the issue:**
```
     339 |             raise RuntimeError(f'unexpected sqlite error while searching profiles: {e!r}')
     340 |         finally:
     341 |             conn.close()
     342 | 
     343 |         best = heapq.nlargest(n, rows, key=lambda row: fuzz.token_set_ratio(query, row[0]))
>>>  344 |         return [pickle.loads(row[1]) for row in best]
     345 | 
     346 |     def get_coordinates(self, display_label):
     347 |         conn = self._connect()
     348 |         try:
     349 |             row = conn.execute(
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval())
**File**: old-2016-files/Place/__init__.py
**Line**: 79
**Severity**: CRITICAL

**Current code around the issue:**
```
      74 | #########################################################################################
      75 | # Places
      76 | 
      77 | class Places(list):
      78 | 	def column(self, column_name_str):
>>>   79 | 		return [eval('i.' + column_name_str) for i in self]
      80 | 		
      81 | 	def column_notstr(self, column_name_str):
      82 | 		return [eval('i.' + column_name_str) for i in self\
      83 | 		if not isinstance(eval('i.' + column_name_str), str)]
      84 | 	
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval())
**File**: old-2016-files/Place/__init__.py
**Line**: 82
**Severity**: CRITICAL

**Current code around the issue:**
```
      77 | class Places(list):
      78 | 	def column(self, column_name_str):
      79 | 		return [eval('i.' + column_name_str) for i in self]
      80 | 		
      81 | 	def column_notstr(self, column_name_str):
>>>   82 | 		return [eval('i.' + column_name_str) for i in self\
      83 | 		if not isinstance(eval('i.' + column_name_str), str)]
      84 | 	
      85 | 	def attr(self, attribute_str, value):
      86 | 		return [i for i in self if eval(attribute_str) == value]
      87 | 		
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval())
**File**: old-2016-files/Place/__init__.py
**Line**: 83
**Severity**: CRITICAL

**Current code around the issue:**
```
      78 | 	def column(self, column_name_str):
      79 | 		return [eval('i.' + column_name_str) for i in self]
      80 | 		
      81 | 	def column_notstr(self, column_name_str):
      82 | 		return [eval('i.' + column_name_str) for i in self\
>>>   83 | 		if not isinstance(eval('i.' + column_name_str), str)]
      84 | 	
      85 | 	def attr(self, attribute_str, value):
      86 | 		return [i for i in self if eval(attribute_str) == value]
      87 | 		
      88 | 	def search(self, keyword_str):
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'iandorsey00__geodata'.

**Issue**: Hard-coded sast found ([sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval())
**File**: old-2016-files/Place/__init__.py
**Line**: 356
**Severity**: CRITICAL

**Current code around the issue:**
```
     351 | 	
     352 | 	for inPlace in inPlaceList:
     353 | 		_in = dict()
     354 | 		
     355 | 		for field in inPlace._fields:
>>>  356 | 			_in[field] = eval('inPlace.' + field)
     357 | 			
     358 | 		proceed = True
     359 | 		
     360 | 		if type == 'PlaceVectorFull':
     361 | 			if _in['ucr_pop'] == '' or _in['vr_total'] == '':
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'iandorsey00__geodata'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'iandorsey00__geodata' is failing the quality gate.

Failed conditions:
- overall_score: actual 0.0 >= 50 (FAILED)
- security_score: actual 0.0 >= 40 (FAILED)
- critical_credentials: actual 9.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'iandorsey00__geodata' has 10 open issues:

- [CRITICAL] Hard-coded sast: [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() (old-2016-files/Place/__init__.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/deser-pickle] Insecure Deserialization via pickle (geodata/repository/pickle_repository.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/sql-injection-percent] SQL Injection via % String Formatting (geodata/database/Database.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/deser-pickle] Insecure Deserialization via pickle (geodata/repository/sqlite_repository.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/deser-pickle] Insecure Deserialization via pickle (geodata/repository/sqlite_repository.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/deser-pickle] Insecure Deserialization via pickle (geodata/repository/sqlite_repository.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() (old-2016-files/Place/__init__.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() (old-2016-files/Place/__init__.py)
- [CRITICAL] Hard-coded sast: [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() (old-2016-files/Place/__init__.py)
- [MEDIUM] Hard-coded sast: [sast:aljefra/crypto-weak-hash] Weak Hash Algorithm (MD5/SHA1) (geodata/repository/sqlite_repository.py)

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 10 security issues in 'iandorsey00__geodata':

- [CRITICAL] [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() at old-2016-files/Place/__init__.py:356
- [CRITICAL] [sast:aljefra/deser-pickle] Insecure Deserialization via pickle at geodata/repository/pickle_repository.py:26
- [CRITICAL] [sast:aljefra/sql-injection-percent] SQL Injection via % String Formatting at geodata/database/Database.py:67
- [CRITICAL] [sast:aljefra/deser-pickle] Insecure Deserialization via pickle at geodata/repository/sqlite_repository.py:280
- [CRITICAL] [sast:aljefra/deser-pickle] Insecure Deserialization via pickle at geodata/repository/sqlite_repository.py:311
- [CRITICAL] [sast:aljefra/deser-pickle] Insecure Deserialization via pickle at geodata/repository/sqlite_repository.py:344
- [CRITICAL] [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() at old-2016-files/Place/__init__.py:79
- [CRITICAL] [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() at old-2016-files/Place/__init__.py:82
- [CRITICAL] [sast:aljefra/cmdi-exec-eval] Code Injection via exec()/eval() at old-2016-files/Place/__init__.py:83
- [MEDIUM] [sast:aljefra/crypto-weak-hash] Weak Hash Algorithm (MD5/SHA1) at geodata/repository/sqlite_repository.py:71

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule