- Add allow_private param to validate_external_url (alias for
allow_localhost) to unblock web viewer SSRF guard using allow_private=
- Block non-globally-routable IPs (RFC 6598 100.64.0.0/10 CGN) on
Python 3.10 which does not classify them as private or reserved
- Remove tests for greeter DB tables and admin_config template that
depend on features not present on this branch
Updated the path validation logic in security_utils.py and web_viewer/app.py to include additional dangerous prefixes, specifically targeting private directories. This change aims to strengthen security by preventing access to sensitive system paths. Additionally, modified the test for posting feeds to mock the external URL validation, ensuring consistent behavior during tests.
Add SSRF host validation to maintenance.py send_nightly_email and
scheduler.py send_zombie_alert_email using validate_external_url().
New allow_local_smtp config key permits private-IP SMTP for local
relay setups.
Add sanitize_name() to security_utils and apply it to all log calls
in message_handler, repeater_manager, path_command, solarforecast_command,
command_manager, and discord_bridge_service to prevent log injection.
Move nightly email logic from duplicate scheduler._send_nightly_email()
into the canonical maintenance.py implementation, removing the duplicate.
Update tests to call maintenance.send_nightly_email() directly.
Add validate_external_url allow_private parameter with support for
loopback, RFC1918, CGN, and link-local address ranges.
- Introduced validation for SQLite journal modes in DBManager, defaulting to "WAL" for invalid inputs and logging warnings.
- Added a new utility function in security_utils for validating SQL identifiers to prevent SQL injection.
- Updated BotDataViewer to utilize the new journal mode validation and SQL identifier checks, ensuring safer database operations.
- Enhanced test coverage for restore functionality, including checks for backup directory configuration and path traversal prevention.
BUG-001: web viewer login/session auth (in web viewer commit)
BUG-002: db_manager ALTER TABLE for missing channel_operations and
feed_message_queue columns on startup
BUG-015: scheduler thread blocked on future.result(); replaced all
blocking waits with add_done_callback (fire-and-forget)
BUG-016: reboot_radio sends meshcore.commands.reboot() before disconnect
BUG-017: radio disconnect uses asyncio.wait_for(timeout=10)
BUG-022: custom asyncio loop exception handler suppresses IndexError
from meshcore parser at DEBUG level
BUG-024: last_db_backup_run updated after each run; 2-min startup
window; last-run seeded from DB on restart
BUG-025: send_channel_message retries up to 2 times (2s delay) on
no_event_received via _is_no_event_received() helper
BUG-026: split_text_into_chunks() and get_max_message_length() added
to CommandManager; keyword dispatch uses send_response_chunked()
BUG-028: byte_data = b"" initialised before try block in
decode_meshcore_packet to prevent UnboundLocalError in except handler
TraceCommand: path nodes reversed and return path truncated; fixed
format_elapsed_display: UTC normalisation before elapsed computation (#75)
RepeaterManager: auto_manage_contacts guard before any purge logic (#50)
Command aliases: [Aliases] config section injects shorthands at startup
JSON logging: _JsonFormatter; json_logging = true in [Logging]
Structured JSON logging compatible with Loki, Elasticsearch, Splunk
Discord bridge, Telegram bridge, and all service plugins updated
MeshGraph edge promotion logic corrected
Shutdown: scheduler and meshcore disconnect joined cleanly; log spam fixed
All modules: ruff and mypy cleanup applied (type annotations, imports)
- Replaced the validate_safe_path function with a new resolve_path utility to simplify database path resolution in BotDataViewer, BotIntegration, and MapUploaderService.
- Updated the logic to ensure that both relative and absolute paths are handled correctly, enhancing the robustness of database connections.
- Improved code readability and maintainability by centralizing path resolution logic.
- Centralized placeholder handling in utils instead of individual function handlers
- Updated the validate_safe_path function to resolve the base directory to an absolute path and handle target paths more accurately.
- Enhanced logic to ensure that if the file_path is absolute, it is used directly; otherwise, it is joined with the base directory before resolution, improving handling of relative paths.
Security Improvements:
- Add DNS timeout (2.0s default) to validate_external_url() to prevent DoS
attacks from malicious URLs causing DNS resolution to hang
- Make path validation OS-aware: supports Windows, macOS (Darwin), and Linux
with platform-specific dangerous path detection
- Add validation for negative max_length values in sanitize_input()
Code Quality Improvements:
- Extract bot_root property in MeshCoreBot class to eliminate code duplication
(was calculated twice in __init__ and setup_logging)
- Use explicit bot_root directory instead of '.' for predictable path validation
in both database and log file path validation
- Make sanitize_input() max_length parameter Optional to allow disabling length
check for radio messages (firmware enforces 150-char limit at hardware level)
- Update message_handler.py to use max_length=None for radio messages while
preserving control character stripping for security
- Replace inline regex with centralized validate_pubkey_format() function in
base_command.py for consistency and maintainability
- Improve documentation: add comments about socket timeout behavior and
firmware-enforced message length limits
All improvements have been tested and verified:
- Syntax checks pass
- All functions work correctly
- No circular dependencies
- Bot initializes successfully with all attributes present
Files modified:
- modules/security_utils.py: DNS timeout, OS-aware paths, Optional max_length
- modules/core.py: bot_root property, explicit base directory usage
- modules/message_handler.py: max_length=None for radio messages
- modules/commands/base_command.py: centralized validation function
Stacy Olivas