security: harden error handling, token exposure, URL ingest, and deps

mdavistffhrtporg · mdavistffhrtporg · commit de99b9c4d523 · 2026-03-01T04:37:03.000-06:00
diff --git a/backend/app/chunking.py b/backend/app/chunking.py
@@ -14,7 +14,8 @@ def normalize(text: str) -> str:
     text = text.replace("\u00a0", " ")
     text = text.replace("\r\n", "\n").replace("\r", "\n")
     text = re.sub(r"[ \t]+", " ", text)
-    text = re.sub(r"[ \t]+\n", "\n", text)
+    # Trim trailing horizontal whitespace per line without regex backtracking risk.
+    text = "\n".join(line.rstrip(" \t") for line in text.split("\n"))
     text = re.sub(r"\n{3,}", "\n\n", text)
     return text.strip()
 
diff --git a/backend/app/ingest.py b/backend/app/ingest.py
@@ -168,6 +168,10 @@ def _validate_remote_url_sync(url: str) -> None:
         raise RuntimeError("Only http/https URLs are allowed.")
     if not parsed.hostname:
         raise RuntimeError("URL must include a hostname.")
+    if parsed.username or parsed.password:
+        raise RuntimeError("URLs with embedded credentials are not allowed.")
+    if parsed.port and parsed.port not in (80, 443):
+        raise RuntimeError("Only standard ports 80/443 are allowed for URL ingest.")
     if _is_blocked_host_label(parsed.hostname):
         raise RuntimeError("Local hostnames are blocked for URL ingest.")
 
@@ -373,6 +377,7 @@ async def _download_html_with_diagnostics(url: str) -> Tuple[str, Dict[str, Any]
 
     async with httpx.AsyncClient(follow_redirects=False, timeout=URL_TIMEOUT) as client:
         while True:
+            current_host = (urlparse(current_url).hostname or "").strip().lower().rstrip(".")
             if current_url in seen_urls:
                 raise RuntimeError("Redirect loop detected.")
             seen_urls.add(current_url)
@@ -399,7 +404,11 @@ async def _download_html_with_diagnostics(url: str) -> Tuple[str, Dict[str, Any]
             if _is_redirect_status(response.status_code):
                 if redirects >= MAX_URL_REDIRECTS:
                     raise RuntimeError(f"Too many redirects (>{MAX_URL_REDIRECTS}).")
-                current_url = _resolve_redirect_url(str(response.url), response.headers.get("location", ""))
+                next_url = _resolve_redirect_url(str(response.url), response.headers.get("location", ""))
+                next_host = (urlparse(next_url).hostname or "").strip().lower().rstrip(".")
+                if next_host != current_host:
+                    raise RuntimeError("Cross-host redirects are blocked for URL ingest.")
+                current_url = next_url
                 redirects += 1
                 diagnostics["redirect_count"] = redirects
                 diagnostics["final_url"] = current_url
diff --git a/backend/flashcard_store.py b/backend/flashcard_store.py
@@ -6,6 +6,7 @@
 import secrets
 import threading
 from datetime import datetime, timedelta, timezone
+from pathlib import Path
 from typing import Any, Dict, List, Optional
 
 from app.atomic_io import atomic_write_json, path_lock
@@ -20,9 +21,19 @@ def _safe_owner(owner: str) -> str:
     return owner[:128]
 
 
+def _resolve_under_base(base_dir: str, name: str) -> str:
+    base = Path(base_dir).resolve()
+    candidate = (base / name).resolve()
+    try:
+        candidate.relative_to(base)
+    except ValueError as e:
+        raise ValueError("path_outside_base_dir") from e
+    return str(candidate)
+
+
 def _path(owner: str, base_dir: str = DEFAULT_DIR) -> str:
     os.makedirs(base_dir, exist_ok=True)
-    return os.path.join(base_dir, f"{_safe_owner(owner)}.json")
+    return _resolve_under_base(base_dir, f"{_safe_owner(owner)}.json")
 
 
 def _now_dt() -> datetime:
diff --git a/backend/mcp_server.py b/backend/mcp_server.py
@@ -191,11 +191,12 @@ async def sift_generate(
             out = await anyio.to_thread.run_sync(lambda: generate_with_claude(prompt, model=model or "claude-3-5-sonnet-latest"))
         else:
             out = await anyio.to_thread.run_sync(lambda: generate_with_openai(prompt, model=model or "gpt-4.1-mini"))
-    except Exception as e:
+    except Exception:
         logger.exception("mcp_sift_generate_failed owner=%s provider=%s", owner, provider)
         return {
             "ok": False,
-            "error": str(e),
+            "error": "generation_failed",
+            "message": "Generation failed for the selected provider.",
             "hint": "If you're using Codex, call `search` and let Codex generate the final response.",
             "sources": res["results"],
         }
diff --git a/backend/quiz_store.py b/backend/quiz_store.py
@@ -5,6 +5,7 @@
 import re
 import secrets
 import threading
+from pathlib import Path
 from typing import Any, Dict, List
 
 from app.atomic_io import atomic_write_json, path_lock
@@ -19,9 +20,19 @@ def _safe_owner(owner: str) -> str:
     return owner[:128]
 
 
+def _resolve_under_base(base_dir: str, name: str) -> str:
+    base = Path(base_dir).resolve()
+    candidate = (base / name).resolve()
+    try:
+        candidate.relative_to(base)
+    except ValueError as e:
+        raise ValueError("path_outside_base_dir") from e
+    return str(candidate)
+
+
 def _path(owner: str, base_dir: str = DEFAULT_DIR) -> str:
     os.makedirs(base_dir, exist_ok=True)
-    return os.path.join(base_dir, f"{_safe_owner(owner)}.json")
+    return _resolve_under_base(base_dir, f"{_safe_owner(owner)}.json")
 
 
 def load_attempts(owner: str, base_dir: str = DEFAULT_DIR) -> List[Dict[str, Any]]:
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -2,19 +2,19 @@ fastapi==0.115.8
 uvicorn[standard]==0.30.6
 pydantic>=2.10.1
 pydantic-settings>=2.6.1
-python-multipart==0.0.9
+python-multipart==0.0.22
 
 openai==1.61.0
 
 chromadb==0.5.5
 
 beautifulsoup4==4.12.3
 httpx==0.27.0
-pypdf==4.3.1
+pypdf==6.7.3
 tiktoken==0.12.0
-mcp==1.2.0
+mcp==1.23.0
 anthropic==0.45.2
-jinja2==3.1.4
+jinja2==3.1.6
 pillow>=10.4.0
 pytesseract>=0.3.10
 pdf2image>=1.17.0
diff --git a/backend/session_store.py b/backend/session_store.py
@@ -4,6 +4,7 @@
 import os
 import re
 import threading
+from pathlib import Path
 from typing import Any, Dict, List
 
 from app.atomic_io import atomic_write_json, path_lock
@@ -18,9 +19,19 @@ def _safe_owner(owner: str) -> str:
     return owner[:128]
 
 
+def _resolve_under_base(base_dir: str, name: str) -> str:
+    base = Path(base_dir).resolve()
+    candidate = (base / name).resolve()
+    try:
+        candidate.relative_to(base)
+    except ValueError as e:
+        raise ValueError("path_outside_base_dir") from e
+    return str(candidate)
+
+
 def session_path(owner: str, base_dir: str = DEFAULT_DIR) -> str:
     os.makedirs(base_dir, exist_ok=True)
-    return os.path.join(base_dir, f"{_safe_owner(owner)}.json")
+    return _resolve_under_base(base_dir, f"{_safe_owner(owner)}.json")
 
 
 def load_session(owner: str, base_dir: str = DEFAULT_DIR) -> List[Dict[str, Any]]:
diff --git a/backend/source_store.py b/backend/source_store.py
@@ -5,6 +5,7 @@
 import secrets
 import threading
 from glob import glob
+from pathlib import Path
 from typing import Any, Dict, List, Optional
 
 from app.atomic_io import atomic_write_json, path_lock
@@ -19,13 +20,23 @@ def _safe_owner(owner: str) -> str:
     return owner[:128]
 
 
+def _resolve_under_base(base_dir: str, *parts: str) -> str:
+    base = Path(base_dir).resolve()
+    candidate = (base.joinpath(*parts)).resolve()
+    try:
+        candidate.relative_to(base)
+    except ValueError as e:
+        raise ValueError("path_outside_base_dir") from e
+    return str(candidate)
+
+
 def _owner_manifest_path(owner: str, base_dir: str = DEFAULT_DIR) -> str:
     os.makedirs(base_dir, exist_ok=True)
-    return os.path.join(base_dir, f"{_safe_owner(owner)}.json")
+    return _resolve_under_base(base_dir, f"{_safe_owner(owner)}.json")
 
 
 def _owner_files_dir(owner: str, base_dir: str = DEFAULT_DIR) -> str:
-    path = os.path.join(base_dir, "_files", _safe_owner(owner))
+    path = _resolve_under_base(base_dir, "_files", _safe_owner(owner))
     os.makedirs(path, exist_ok=True)
     return path
 
@@ -185,7 +196,8 @@ def batch_mutate_items(
 
 def write_text_blob(owner: str, source_id: str, text: str, base_dir: str = DEFAULT_DIR) -> str:
     files_dir = _owner_files_dir(owner, base_dir)
-    path = os.path.join(files_dir, f"{source_id}.txt")
+    safe_source_id = re.sub(r"[^a-zA-Z0-9._-]+", "_", (source_id or "").strip())[:120] or "source"
+    path = _resolve_under_base(files_dir, f"{safe_source_id}.txt")
     with _LOCK:
         parent = os.path.dirname(path)
         if parent:
@@ -195,18 +207,21 @@ def write_text_blob(owner: str, source_id: str, text: str, base_dir: str = DEFAU
     return path
 
 
-def read_text_blob(path: str) -> str:
+def read_text_blob(path: str, base_dir: str = DEFAULT_DIR) -> str:
     try:
-        with open(path, "r", encoding="utf-8") as f:
+        resolved = Path(path or "").resolve()
+        resolved.relative_to(Path(base_dir).resolve())
+        with open(resolved, "r", encoding="utf-8") as f:
             return f.read()
     except Exception:
         return ""
 
 
 def write_binary_blob(owner: str, source_id: str, filename: str, data: bytes, base_dir: str = DEFAULT_DIR) -> str:
     files_dir = _owner_files_dir(owner, base_dir)
+    safe_source_id = re.sub(r"[^a-zA-Z0-9._-]+", "_", (source_id or "").strip())[:120] or "source"
     safe = re.sub(r"[^a-zA-Z0-9._-]+", "_", (filename or "upload").strip())[:180] or "upload"
-    path = os.path.join(files_dir, f"{source_id}__{safe}")
+    path = _resolve_under_base(files_dir, f"{safe_source_id}__{safe}")
     with _LOCK:
         parent = os.path.dirname(path)
         if parent:
@@ -216,9 +231,13 @@ def write_binary_blob(owner: str, source_id: str, filename: str, data: bytes, ba
     return path
 
 
-def remove_file(path: str) -> None:
+def remove_file(path: str, base_dir: str = DEFAULT_DIR) -> None:
     try:
-        if path and os.path.exists(path):
-            os.remove(path)
+        if not path:
+            return
+        resolved = Path(path).resolve()
+        resolved.relative_to(Path(base_dir).resolve())
+        if os.path.exists(resolved):
+            os.remove(resolved)
     except Exception:
         pass
diff --git a/backend/study_store.py b/backend/study_store.py
@@ -5,6 +5,7 @@
 import re
 import secrets
 import threading
+from pathlib import Path
 from typing import Any, Dict, List, Optional
 
 from app.atomic_io import atomic_write_json, path_lock
@@ -19,9 +20,19 @@ def _safe_owner(owner: str) -> str:
     return owner[:128]
 
 
+def _resolve_under_base(base_dir: str, name: str) -> str:
+    base = Path(base_dir).resolve()
+    candidate = (base / name).resolve()
+    try:
+        candidate.relative_to(base)
+    except ValueError as e:
+        raise ValueError("path_outside_base_dir") from e
+    return str(candidate)
+
+
 def library_path(owner: str, base_dir: str = DEFAULT_DIR) -> str:
     os.makedirs(base_dir, exist_ok=True)
-    return os.path.join(base_dir, f"{_safe_owner(owner)}.json")
+    return _resolve_under_base(base_dir, f"{_safe_owner(owner)}.json")
 
 
 def load_library(owner: str, base_dir: str = DEFAULT_DIR) -> List[Dict[str, Any]]:
diff --git a/backend/templates/chat.html b/backend/templates/chat.html
@@ -849,7 +849,11 @@
         const res = await fetch(u);
         if (!(await ensureAuth(res))) return;
         if (!res.ok) {
-          librarySelectListEl.innerHTML = `<div class="hint">Failed to load library sources.</div>`;
+          librarySelectListEl.innerHTML = "";
+          const hint = document.createElement("div");
+          hint.className = "hint";
+          hint.textContent = "Failed to load library sources.";
+          librarySelectListEl.appendChild(hint);
           return;
         }
         const data = await res.json();
diff --git a/backend/templates/login.html b/backend/templates/login.html
@@ -81,8 +81,10 @@ <h1>OpenSift</h1>
 
         {% if mode == "set_password" %}
           <form method="post" action="/set-password">
-            <label>Generated Token (required to set password)</label>
+            {% if has_password %}
+            <label>Generated Token (required to reset existing password)</label>
             <input name="token" placeholder="Paste generated token…" required />
+            {% endif %}
 
             <div class="row">
               <div>
@@ -101,10 +103,7 @@ <h1>OpenSift</h1>
               Stores a salted password hash in <code>.opensift_auth.json</code> (backend directory).
             </div>
 
-            <div class="hint">
-              Generated token (also printed in server logs):<br/>
-              <code>{{ token }}</code>
-            </div>
+            <div class="hint">For token-based reset flows, retrieve the token from your secure server-side source.</div>
 
             <div class="hint"><a href="/login">Back to login</a></div>
           </form>
@@ -124,10 +123,7 @@ <h1>OpenSift</h1>
 
             <button class="primary" type="submit">Login</button>
 
-            <div class="hint">
-              Generated token (also printed in server logs):<br/>
-              <code>{{ token }}</code>
-            </div>
+            <div class="hint">Token values are no longer rendered in this page.</div>
 
             <div class="hint">
               {% if has_password %}
diff --git a/backend/templates/settings.html b/backend/templates/settings.html
@@ -321,7 +321,7 @@
           return;
         }
         const data = await res.json();
-        document.getElementById("tokenOut").textContent = `New token (save now): ${data.token}`;
+        document.getElementById("tokenOut").textContent = `Token rotated. New hint: ***${data.token_hint || ""}`;
         await loadAuthInfo();
       });
 
diff --git a/backend/tests/test_error_sanitization.py b/backend/tests/test_error_sanitization.py
@@ -0,0 +1,49 @@
+from __future__ import annotations
+
+from fastapi.testclient import TestClient
+
+import mcp_server
+import ui_app
+
+
+def _authed_client(monkeypatch) -> TestClient:
+    monkeypatch.setattr(ui_app, "_is_authenticated", lambda request: True)
+    monkeypatch.setattr(ui_app, "_csrf_invalid", lambda request: False)
+    monkeypatch.setattr(
+        ui_app.LocalhostOnlyMiddleware,
+        "dispatch",
+        lambda self, request, call_next: call_next(request),
+    )
+    return TestClient(ui_app.app)
+
+
+def test_session_import_invalid_payload_is_generic(monkeypatch) -> None:
+    client = _authed_client(monkeypatch)
+    resp = client.post("/chat/session/import", data={"owner": "alice", "payload": "{", "merge": "false"})
+    assert resp.status_code == 400
+    assert resp.json()["error"] == "invalid_payload"
+
+
+def test_provider_settings_invalid_path_error_is_generic(monkeypatch) -> None:
+    client = _authed_client(monkeypatch)
+    resp = client.post("/chat/settings/providers", data={"codex_cmd": "codex;rm -rf /"})
+    assert resp.status_code == 400
+    assert resp.json()["error"] == "invalid_provider_settings"
+
+
+def test_mcp_generate_error_is_sanitized(monkeypatch) -> None:
+    async def _fake_search(*args, **kwargs):
+        _ = (args, kwargs)
+        return {"ok": True, "results": []}
+
+    def _boom(*args, **kwargs):
+        _ = (args, kwargs)
+        raise RuntimeError("sensitive provider detail")
+
+    monkeypatch.setattr(mcp_server, "search", _fake_search)
+    monkeypatch.setattr(mcp_server, "generate_with_openai", _boom)
+
+    out = mcp_server.anyio.run(lambda: mcp_server.sift_generate(query="hello"))
+    assert out["ok"] is False
+    assert out["error"] == "generation_failed"
+    assert "sensitive provider detail" not in str(out)
diff --git a/backend/tests/test_ingest_security.py b/backend/tests/test_ingest_security.py
diff --git a/backend/tests/test_ingest_url_safety.py b/backend/tests/test_ingest_url_safety.py
diff --git a/backend/tests/test_login_security.py b/backend/tests/test_login_security.py
diff --git a/backend/tests/test_settings_and_stream_ui.py b/backend/tests/test_settings_and_stream_ui.py
diff --git a/backend/ui_app.py b/backend/ui_app.py
