agessaman d62e63cdb9 Apply code quality improvements to PR16 security enhancements ...

Security Improvements:
- Add DNS timeout (2.0s default) to validate_external_url() to prevent DoS
  attacks from malicious URLs causing DNS resolution to hang
- Make path validation OS-aware: supports Windows, macOS (Darwin), and Linux
  with platform-specific dangerous path detection
- Add validation for negative max_length values in sanitize_input()

Code Quality Improvements:
- Extract bot_root property in MeshCoreBot class to eliminate code duplication
  (was calculated twice in __init__ and setup_logging)
- Use explicit bot_root directory instead of '.' for predictable path validation
  in both database and log file path validation
- Make sanitize_input() max_length parameter Optional to allow disabling length
  check for radio messages (firmware enforces 150-char limit at hardware level)
- Update message_handler.py to use max_length=None for radio messages while
  preserving control character stripping for security
- Replace inline regex with centralized validate_pubkey_format() function in
  base_command.py for consistency and maintainability
- Improve documentation: add comments about socket timeout behavior and
  firmware-enforced message length limits

All improvements have been tested and verified:
- Syntax checks pass
- All functions work correctly
- No circular dependencies
- Bot initializes successfully with all attributes present

Files modified:
- modules/security_utils.py: DNS timeout, OS-aware paths, Optional max_length
- modules/core.py: bot_root property, explicit base directory usage
- modules/message_handler.py: max_length=None for radio messages
- modules/commands/base_command.py: centralized validation function

2025-12-09 21:44:42 -08:00

9.4 KiB

Raw Blame History

View Raw