Security hardening release
This release is the result of a full security audit of the package — command construction, untrusted input handling, dependencies, and static analysis.
Security
- Shell injection protection: centralized escaping (
escape_shell_arg,
escape_input_text) applied at all user-input call sites — payloads like
; rm -rf /,$(...), and backticks are neutralized before reachingadb shell. - Path traversal guard:
safe_join()validates device-supplied filenames during
file sync pulls, so a malicious device cannot write outside the destination directory. - XXE / DoS protection: UI hierarchy XML is parsed with entities, DTDs, and network
access disabled;<!DOCTYPEpayloads are rejected outright. - Untrusted recordings: playback refuses
SHELLactions unlessallow_shell=True;
numeric playback parameters are strictly validated. - Strict TCP serial validation in connection type detection.
- Race-free UI dumps: each dump uses a unique on-device filename and cleans up
reliably, so concurrent dumps on one device can no longer collide. - Dependency floors raised: Pillow ≥ 12.2 (CVE-2026-42311) and lxml ≥ 6.1
(PYSEC-2026-87). - New unit and e2e security test suites covering injection payloads, path traversal,
XXE, and recording playback.
Fixed
mypy --strictis clean with and without the optional[vision]/[ocr]extras installed.- Sync checksums declare
usedforsecurity=False(FIPS-friendly).
Upgrading
pip install -U adbflowNo breaking API changes. Full Changelog: Changelog