Draft
Conversation
- Fix HTTP → HTTPS for ip-api.com in macOS and Windows to prevent man-in-the-middle interception of public IP/ISP lookups - Fix falsy-check bug in headless_config: use `is not None` for poll and threshold so explicit value 0 is honoured - Add input validation in interactive_setup: replace bare int() casts with _prompt_int() which re-prompts on invalid input - Add HTML escaping (html.escape) for ISP name, public IP, target names, and drop data injected into HTML reports - Move import datetime from inside functions to module level in metrics.py - Use try/finally for socket cleanup in network.py get_local_ip - Rename single-letter variables (l, a, j) in get_health_score to loss_pct, avg_lat, jitter_ms for readability - Fix confusingly-named variables now_s/end_s → start_s/end_s in macos/lib/logging.sh log_drop and log_threshold_breach Agent-Logs-Url: https://github.com/nexuspcs/ConnectivityMonitor/sessions/36342ce1-c124-412a-9d81-904bbde9071a Co-authored-by: nexuspcs <69493073+nexuspcs@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
nexuspcs
April 6, 2026 12:27
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full audit of all three platform implementations (Python, macOS Bash, Windows PowerShell) ahead of public release. All issues found are fixed below.
Security Fixes
HTTP → HTTPS for public IP/ISP lookups (
macos/lib/network.sh,windows/ConnectivityDropMonitor.ps1)All three versions fetch the user's public IP and ISP name from
ip-api.com. The macOS and Windows versions were using plain HTTP, which means the response could be intercepted and modified by anyone on the network path (a real concern on public Wi-Fi or hostile networks). Changed to HTTPS.HTML injection in generated reports (
python/connectivity_monitor/html_report.py)ISP name, public IP, target hostnames, and drop event data were interpolated directly into the HTML report string without escaping. A crafted API response (or an ISP name containing
<script>or&characters) would break the report or execute code. Addedhtml.escape()for all external/user-supplied values before HTML injection.Bug Fixes
headless_configfalsy check (python/connectivity_monitor/config.py)if args.poll:isFalsewhen--poll 0is passed. The check should beif args.poll is not None:to honour any explicit value. Same fix applied toargs.threshold.No input validation in interactive setup (
python/connectivity_monitor/config.py)The interactive prompts used bare
int()casts. Typing a non-numeric value (e.g. "two") would raise an unhandledValueErrorand crash the program. Replaced with a_prompt_int()helper that re-prompts until a valid integer is entered.Confusing variable names in duration calculation (
macos/lib/logging.sh)log_dropandlog_threshold_breachhad variables namednow_s(holding the end timestamp) andend_s(holding the start timestamp) — exactly reversed from what the names imply. The arithmetic happened to be correct because both variables were swapped, but this was a maintenance hazard. Renamed tostart_sandend_s.Code Quality
python/connectivity_monitor/metrics.pyimport datetimefrom inside three functions to module levelpython/connectivity_monitor/network.pytry/finallyfor socket inget_local_ipso it always closes even on exceptionpython/connectivity_monitor/metrics.pyl,a,j→loss_pct,avg_lat,jitter_msinget_health_scoreValidation
py_compilepasses for all 10 modules; functional tests pass including HTML-escape assertionsbash -nsyntax check passes for all 8 shell files