3454a55636
cffconvert / validate (push) Waiting to run
ci-workflow / pre-commit (push) Waiting to run
ci-workflow / Minimal NLTK Download Test (macos-latest) (push) Waiting to run
ci-workflow / Minimal NLTK Download Test (ubuntu-latest) (push) Waiting to run
ci-workflow / Minimal NLTK Download Test (windows-latest) (push) Waiting to run
ci-workflow / Python 3.10 on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.11 on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.12 on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.13 on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.14 on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.14t on macos-latest (push) Blocked by required conditions
ci-workflow / Python 3.10 on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.11 on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.12 on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.13 on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.14 on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.14t on ubuntu-latest (push) Blocked by required conditions
ci-workflow / Python 3.10 on windows-latest (push) Blocked by required conditions
ci-workflow / Python 3.11 on windows-latest (push) Blocked by required conditions
ci-workflow / Python 3.12 on windows-latest (push) Blocked by required conditions
ci-workflow / Python 3.13 on windows-latest (push) Blocked by required conditions
ci-workflow / Python 3.14 on windows-latest (push) Blocked by required conditions
595 lines
23 KiB
Python
595 lines
23 KiB
Python
# Natural Language Toolkit: Centralized I/O security sentinel
|
|
#
|
|
# Copyright (C) 2001-2026 NLTK Project
|
|
# Author: Eric Kafe <kafe.eric@gmail.com>
|
|
# URL: <https://www.nltk.org/>
|
|
# For license information, see LICENSE.TXT
|
|
#
|
|
"""Centralized I/O security sentinel for NLTK."""
|
|
|
|
"""Centralized I/O security sentinel for NLTK."""
|
|
import builtins
|
|
import http.client
|
|
import ipaddress
|
|
import os
|
|
import socket
|
|
import sys
|
|
import urllib.request
|
|
import warnings
|
|
import zipfile
|
|
from functools import lru_cache
|
|
from pathlib import Path
|
|
from urllib.parse import unquote, urlparse
|
|
|
|
# Security Enforcement Toggle
|
|
# ENFORCE = False
|
|
ENFORCE = True
|
|
|
|
_ALLOWED_ROOTS_CACHE = None
|
|
_LAST_DATA_PATHS = None
|
|
|
|
|
|
def _get_allowed_roots():
|
|
"""Dynamically determines allowed directories based on NLTK data paths."""
|
|
global _ALLOWED_ROOTS_CACHE, _LAST_DATA_PATHS
|
|
|
|
current_paths = []
|
|
if "nltk.data" in sys.modules:
|
|
# Accessing nltk.data.path via sys.modules to avoid top-level circularity
|
|
current_paths = list(getattr(sys.modules["nltk.data"], "path", []))
|
|
|
|
env_paths = os.environ.get("NLTK_DATA", "")
|
|
current_state = (current_paths, env_paths)
|
|
|
|
if _ALLOWED_ROOTS_CACHE is not None and _LAST_DATA_PATHS == current_state:
|
|
return _ALLOWED_ROOTS_CACHE
|
|
|
|
roots = set()
|
|
for p in current_paths + env_paths.split(os.pathsep):
|
|
if p:
|
|
try:
|
|
# Handle both string paths and PathPointer objects
|
|
raw_p = p.path if hasattr(p, "path") else p
|
|
roots.add(Path(str(raw_p)).resolve())
|
|
except (OSError, ValueError, RuntimeError):
|
|
continue
|
|
|
|
import tempfile
|
|
|
|
for loc in ["~/nltk_data", "/usr/share/nltk_data", tempfile.gettempdir()]:
|
|
try:
|
|
p = Path(loc).expanduser().resolve()
|
|
if p.exists():
|
|
roots.add(p)
|
|
except (OSError, ValueError, RuntimeError):
|
|
continue
|
|
|
|
_ALLOWED_ROOTS_CACHE = roots
|
|
_LAST_DATA_PATHS = current_state
|
|
return roots
|
|
|
|
|
|
def validate_path(path_input, context="NLTK", required_root=None):
|
|
"""
|
|
Ensures file access is restricted to allowed data directories.
|
|
|
|
:param path_input: The path to validate.
|
|
:param context: Diagnostic context for warnings/errors.
|
|
:param required_root: If provided, enforces that the path is strictly
|
|
within this specific directory (scoped sandbox).
|
|
"""
|
|
if isinstance(path_input, int) or not path_input or not str(path_input).strip():
|
|
return
|
|
try:
|
|
raw = path_input.path if hasattr(path_input, "path") else str(path_input)
|
|
|
|
if "://" in raw:
|
|
parsed = urlparse(raw)
|
|
if parsed.scheme in ("http", "https", "ftp"):
|
|
return
|
|
if parsed.scheme == "file":
|
|
raw = unquote(parsed.path)
|
|
|
|
# Resolve path to catch symlink escapes
|
|
try:
|
|
target = Path(raw).resolve()
|
|
except (OSError, ValueError):
|
|
# Fallback for virtual paths inside ZIPs (e.g. corpora/foo.zip/file.txt)
|
|
lower_raw = raw.lower()
|
|
if ".zip" in lower_raw:
|
|
zip_idx = lower_raw.find(".zip") + 4
|
|
target = Path(raw[:zip_idx]).resolve()
|
|
else:
|
|
target = Path(raw)
|
|
|
|
# LAYER 1: Scoped Sandbox (PR #3528 Integration)
|
|
# This resolves both target and root to block symlink-based escapes.
|
|
if required_root:
|
|
root_raw = (
|
|
required_root.path
|
|
if hasattr(required_root, "path")
|
|
else str(required_root)
|
|
)
|
|
scoped_root = Path(root_raw).resolve()
|
|
if not (target == scoped_root or target.is_relative_to(scoped_root)):
|
|
# Raise ValueError to match NLTK's historical CorpusReader error type
|
|
raise ValueError(
|
|
f"Security Violation [{context}]: Path {target} escapes root {scoped_root}"
|
|
)
|
|
|
|
# LAYER 2: Global NLTK_DATA Sandbox
|
|
allowed_roots = _get_allowed_roots()
|
|
if any(target == root or target.is_relative_to(root) for root in allowed_roots):
|
|
return
|
|
|
|
# CWD Fallback (Explicit Opt-In for ENFORCE mode)
|
|
try:
|
|
cwd = Path(os.getcwd()).resolve()
|
|
if target == cwd or target.is_relative_to(cwd):
|
|
if any(cwd == root for root in allowed_roots):
|
|
return
|
|
msg = (
|
|
f"Security Violation [{context}]: CWD access restricted in ENFORCE mode. "
|
|
"Authorize via: nltk.data.path.append('.')"
|
|
)
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
else:
|
|
warnings.warn(
|
|
f"Security Warning [{context}]: Path {target} allowed via CWD.",
|
|
RuntimeWarning,
|
|
stacklevel=3,
|
|
)
|
|
return
|
|
except (OSError, ValueError):
|
|
pass
|
|
|
|
msg = f"Security Violation [{context}]: Unauthorized path {target}"
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
else:
|
|
warnings.warn(msg, RuntimeWarning, stacklevel=3)
|
|
except (PermissionError, ValueError):
|
|
raise
|
|
except Exception:
|
|
if ENFORCE:
|
|
raise
|
|
|
|
|
|
def _zip_member_is_unsafe(name_str):
|
|
"""True if a ZIP member is written somewhere other than where it is validated.
|
|
|
|
``zipfile.ZipFile.extract`` sanitises a member name by *dropping* the drive
|
|
and every empty / ``.`` / ``..`` component while keeping the rest, whereas
|
|
``Path.resolve`` collapses a ``..`` against its *preceding* component. For a
|
|
member such as ``a/../b/x`` the two disagree: it is validated as ``<root>/b/x``
|
|
but written to ``<root>/a/b/x``, which can escape through a pre-existing
|
|
symlink at ``<root>/a/b`` that the collapsed validation path never visits.
|
|
|
|
The mismatch only ever arises from absolute / drive-qualified / ``..`` members
|
|
-- exactly the shapes a legitimate archive never uses -- so rather than keep
|
|
two different normalizations in sync we reject them outright. This both
|
|
closes the validate/extract gap and is the proactive block the hardened
|
|
extractor promises (CWE-22 / CWE-59).
|
|
"""
|
|
# Normalize every separator zipfile treats as such on this platform to "/".
|
|
normalized = name_str.replace("\\", "/") if os.path.altsep else name_str
|
|
if os.path.splitdrive(name_str)[0] or normalized.startswith("/"):
|
|
return True
|
|
return os.path.pardir in normalized.split("/")
|
|
|
|
|
|
def validate_zip_archive(
|
|
zip_obj_or_path, target_root, specific_member=None, context="ZipAudit"
|
|
):
|
|
"""Enhanced Zip-Slip protection using Pathlib for cross-platform safety."""
|
|
try:
|
|
target = Path(target_root).resolve()
|
|
|
|
def _audit(zf):
|
|
members = (
|
|
[specific_member] if specific_member is not None else zf.namelist()
|
|
)
|
|
for name in members:
|
|
name_str = name.filename if hasattr(name, "filename") else str(name)
|
|
if "\0" in name_str:
|
|
raise ValueError(f"Null byte in ZIP member: {name_str}")
|
|
|
|
# ``resolve()`` follows symlinks, catching escapes through a
|
|
# pre-existing symlinked subpath. The extra component check
|
|
# rejects absolute / ``..`` members, whose write target diverges
|
|
# from this resolved path (CWE-22 / CWE-59).
|
|
member_path = (target / name_str).resolve()
|
|
if _zip_member_is_unsafe(name_str) or not (
|
|
member_path == target or member_path.is_relative_to(target)
|
|
):
|
|
msg = f"Security Violation [{context}]: Traversal member '{name_str}' detected."
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
else:
|
|
warnings.warn(msg, RuntimeWarning, stacklevel=3)
|
|
|
|
if isinstance(zip_obj_or_path, zipfile.ZipFile):
|
|
_audit(zip_obj_or_path)
|
|
else:
|
|
with zipfile.ZipFile(zip_obj_or_path, "r") as zf:
|
|
_audit(zf)
|
|
except (PermissionError, ValueError):
|
|
raise
|
|
except (OSError, zipfile.BadZipFile):
|
|
if ENFORCE:
|
|
raise PermissionError("Zip validation failed")
|
|
|
|
|
|
@lru_cache(maxsize=256)
|
|
def _resolve_hostname(hostname):
|
|
"""Cached hostname resolution for the early SSRF pre-check.
|
|
|
|
Note: the cache alone does NOT prevent DNS rebinding, because the connection
|
|
layer re-resolves the hostname independently. The actual rebinding
|
|
protection is the connect-time IP pinning in ``_SafeHTTPConnection`` /
|
|
``_SafeHTTPSConnection``.
|
|
"""
|
|
try:
|
|
return socket.getaddrinfo(hostname, None, proto=socket.IPPROTO_TCP)
|
|
except (OSError, ValueError):
|
|
return []
|
|
|
|
|
|
# IPv6->IPv4 transition prefixes that have no dedicated stdlib accessor.
|
|
_NAT64_WELL_KNOWN = ipaddress.ip_network("64:ff9b::/96")
|
|
_IPV4_COMPATIBLE = ipaddress.ip_network("::/96")
|
|
|
|
|
|
def _embedded_ipv4(ip):
|
|
"""The embedded IPv4 for IPv6 forms that *are* an IPv4 address, else None.
|
|
|
|
Covers IPv4-mapped (``::ffff:0:0/96``), IPv4-compatible (``::/96``) and the
|
|
NAT64 well-known prefix (``64:ff9b::/96``). For these the IPv6 wrapper has no
|
|
independent routable meaning, so the embedded IPv4 is what gets reached.
|
|
"""
|
|
if not isinstance(ip, ipaddress.IPv6Address):
|
|
return None
|
|
mapped = ip.ipv4_mapped
|
|
if mapped is not None:
|
|
return mapped
|
|
if ip in _NAT64_WELL_KNOWN or ip in _IPV4_COMPATIBLE:
|
|
return ipaddress.IPv4Address(ip.packed[-4:])
|
|
return None
|
|
|
|
|
|
def _tunneled_ipv4s(ip):
|
|
"""IPv4 addresses tunneled by routable IPv6 wrappers (6to4 / Teredo)."""
|
|
if not isinstance(ip, ipaddress.IPv6Address):
|
|
return
|
|
sixtofour = ip.sixtofour
|
|
if sixtofour is not None:
|
|
yield sixtofour
|
|
teredo = ip.teredo
|
|
if teredo is not None:
|
|
yield from teredo # (Teredo server, Teredo client)
|
|
|
|
|
|
def _ip_is_forbidden(ip):
|
|
"""Return True if the SSRF filter must refuse to connect to ``ip``.
|
|
|
|
Policy (defense in depth): only *globally routable* addresses are allowed;
|
|
anything that is not global -- loopback, link-local, private, carrier-grade
|
|
NAT (100.64.0.0/10), reserved, unspecified (``0.0.0.0`` / ``::``),
|
|
documentation ranges, etc. -- is forbidden. This generalises the previous
|
|
explicit ``loopback / link-local / multicast / private`` list and is a strict
|
|
superset of it. Multicast is still rejected explicitly because some CPython
|
|
versions classify multicast addresses as ``is_global``.
|
|
|
|
IPv6 addresses that embed an IPv4 address are evaluated by that embedded IPv4,
|
|
not by the wrapper: the stdlib classifies the wrappers (IPv4-mapped,
|
|
IPv4-compatible, NAT64 ``64:ff9b::/96``, 6to4 ``2002::/16``, Teredo
|
|
``2001:0::/32``) as globally routable, so a forbidden internal IPv4 (loopback,
|
|
the link-local cloud-metadata address, ...) could otherwise be smuggled past
|
|
the check and then routed to that IPv4 by a NAT64/6to4/Teredo gateway
|
|
(CWE-918). This extends the previous IPv4-mapped-only unwrap.
|
|
"""
|
|
embedded = _embedded_ipv4(ip)
|
|
if embedded is not None:
|
|
ip = embedded
|
|
for tunneled in _tunneled_ipv4s(ip):
|
|
if tunneled.is_multicast or not tunneled.is_global:
|
|
return True
|
|
return ip.is_multicast or not ip.is_global
|
|
|
|
|
|
def validate_network_url(url_input, context="NetworkIO"):
|
|
"""Hardened URL validation with SSRF protection."""
|
|
if not url_input or not str(url_input).strip():
|
|
return
|
|
try:
|
|
parsed = urlparse(str(url_input))
|
|
|
|
if parsed.scheme == "file":
|
|
file_path = unquote(parsed.path)
|
|
netloc = parsed.netloc
|
|
|
|
# Only local file:// URIs are allowed.
|
|
# Reject remote/UNC-style authorities so validation matches actual access.
|
|
if netloc not in ("", "localhost"):
|
|
raise OSError(
|
|
f"Security Violation [{context}.file_scheme]: "
|
|
f"Non-local file URI authority not allowed: {netloc!r}"
|
|
)
|
|
|
|
# Windows file:// URIs arrive like /C:/path/to/file
|
|
# Convert them to a native absolute path before validation.
|
|
if (
|
|
os.name == "nt"
|
|
and len(file_path) >= 3
|
|
and file_path[0] == "/"
|
|
and file_path[2] == ":"
|
|
):
|
|
file_path = file_path[1:]
|
|
|
|
validate_path(file_path, context=f"{context}.file_scheme")
|
|
return
|
|
|
|
if parsed.scheme not in ("http", "https"):
|
|
msg = (
|
|
f"Security Violation [{context}]: Unsupported scheme '{parsed.scheme}'."
|
|
)
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
else:
|
|
warnings.warn(msg, RuntimeWarning, stacklevel=3)
|
|
return
|
|
|
|
for result in _resolve_hostname(parsed.hostname or ""):
|
|
ip = ipaddress.ip_address(result[4][0])
|
|
if _ip_is_forbidden(ip):
|
|
msg = f"Security Violation [{context}]: SSRF attempt to restricted IP {ip}"
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
else:
|
|
warnings.warn(msg, RuntimeWarning, stacklevel=3)
|
|
except (PermissionError, ValueError):
|
|
raise
|
|
except Exception:
|
|
if ENFORCE:
|
|
raise
|
|
|
|
|
|
class _ValidatingRedirectHandler(urllib.request.HTTPRedirectHandler):
|
|
"""Ensures that every step of a redirect chain is re-validated against SSRF."""
|
|
|
|
def redirect_request(self, req, fp, code, msg, headers, newurl):
|
|
validate_network_url(newurl, context="NetworkRedirect")
|
|
return super().redirect_request(req, fp, code, msg, headers, newurl)
|
|
|
|
|
|
def _resolve_and_validate_host(host, port):
|
|
"""
|
|
Resolve ``host`` once and SSRF-validate *every* address it resolves to.
|
|
|
|
Returns the resolved ``getaddrinfo`` records so the caller can connect to a
|
|
**pinned** numeric address. Because validation and the subsequent connection
|
|
observe the same resolution (the connection is made to the numeric IP, which
|
|
triggers no further name lookup), this closes the DNS-rebinding TOCTOU where
|
|
a hostname resolves to a public IP during validation and to an internal /
|
|
loopback IP during the actual connect.
|
|
"""
|
|
try:
|
|
addrinfo = socket.getaddrinfo(host, port, proto=socket.IPPROTO_TCP)
|
|
except (OSError, ValueError):
|
|
return []
|
|
for res in addrinfo:
|
|
try:
|
|
ip = ipaddress.ip_address(res[4][0])
|
|
except ValueError:
|
|
continue
|
|
if _ip_is_forbidden(ip):
|
|
msg = f"Security Violation [pathsec.urlopen]: SSRF attempt to restricted IP {ip}"
|
|
if ENFORCE:
|
|
raise PermissionError(msg)
|
|
warnings.warn(msg, RuntimeWarning, stacklevel=2)
|
|
return addrinfo
|
|
|
|
|
|
def _pinned_connection(host, port, timeout, source_address):
|
|
"""Open a socket to ``host``/``port`` over an SSRF-validated, pinned address.
|
|
|
|
Every address ``host`` resolves to is validated together, then the socket is
|
|
opened to those **numeric** addresses, so no second (unvalidated) name lookup
|
|
happens at connect time -- this closes the DNS-rebinding TOCTOU. All
|
|
validated addresses are tried in order, preserving urllib/socket's normal
|
|
dual-stack / multi-A fallback. If nothing resolves to a validated address we
|
|
fail closed: we never fall back to connecting by the raw hostname, which
|
|
would re-resolve unvalidated and reopen the rebinding hole.
|
|
"""
|
|
addrinfo = _resolve_and_validate_host(host, port)
|
|
if not addrinfo:
|
|
# Fail closed: never fall back to connecting by the raw hostname (that
|
|
# would re-resolve unvalidated and reopen the rebinding hole). The host
|
|
# produced no usable address, which is a name-resolution failure, so we
|
|
# surface it as socket.gaierror rather than a bare OSError. gaierror is
|
|
# an OSError subclass, so urllib still wraps it as URLError and the
|
|
# fail-closed contract is unchanged; but callers that legitimately
|
|
# expect a DNS failure -- e.g. obfuscated/decimal-IP hosts that some
|
|
# platforms (Windows) refuse to resolve -- then see the expected
|
|
# gaierror reason instead of an opaque OSError.
|
|
raise socket.gaierror(
|
|
f"pathsec.urlopen: no validated address for host {host!r}; "
|
|
"refusing to connect by unvalidated hostname"
|
|
)
|
|
last_err = None
|
|
for res in addrinfo:
|
|
ip = res[4][0]
|
|
try:
|
|
return socket.create_connection((ip, port), timeout, source_address)
|
|
except OSError as e:
|
|
last_err = e
|
|
raise last_err
|
|
|
|
|
|
class _SafeHTTPConnection(http.client.HTTPConnection):
|
|
"""HTTPConnection that resolves, SSRF-validates and pins the address at connect()."""
|
|
|
|
def connect(self):
|
|
self.sock = _pinned_connection(
|
|
self.host, self.port, self.timeout, self.source_address
|
|
)
|
|
|
|
|
|
class _SafeHTTPSConnection(http.client.HTTPSConnection):
|
|
"""HTTPS variant of :class:`_SafeHTTPConnection`.
|
|
|
|
Connects to a validated, pinned IP but keeps SNI / certificate verification
|
|
against the original hostname.
|
|
"""
|
|
|
|
def connect(self):
|
|
sock = _pinned_connection(
|
|
self.host, self.port, self.timeout, self.source_address
|
|
)
|
|
self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
|
|
|
|
|
|
class _SafeHTTPHandler(urllib.request.HTTPHandler):
|
|
def http_open(self, req):
|
|
return self.do_open(_SafeHTTPConnection, req)
|
|
|
|
|
|
class _SafeHTTPSHandler(urllib.request.HTTPSHandler):
|
|
def https_open(self, req):
|
|
kwargs = {}
|
|
if getattr(self, "_context", None) is not None:
|
|
kwargs["context"] = self._context
|
|
if getattr(self, "_check_hostname", None) is not None:
|
|
kwargs["check_hostname"] = self._check_hostname
|
|
return self.do_open(_SafeHTTPSConnection, req, **kwargs)
|
|
|
|
|
|
def urlopen(url, *args, **kwargs):
|
|
"""
|
|
Secure wrapper for urllib.request.urlopen with redirect validation.
|
|
Inherits NLTK proxy settings, but intentionally ignores other custom
|
|
global handlers to strictly enforce the security sandbox.
|
|
"""
|
|
url_str = url.full_url if hasattr(url, "full_url") else str(url)
|
|
validate_network_url(url_str, context="pathsec.urlopen")
|
|
|
|
# Start with our security-enforcing redirect handler
|
|
handlers = [_ValidatingRedirectHandler()]
|
|
|
|
# Safely inherit proxy settings without reusing handler instances
|
|
# (Reusing instances overwrites their .parent, breaking the global opener)
|
|
proxied = False
|
|
has_proxy_handler = False
|
|
if urllib.request._opener is not None:
|
|
for handler in urllib.request._opener.handlers:
|
|
if isinstance(handler, urllib.request.ProxyHandler):
|
|
has_proxy_handler = True
|
|
# Copy the dictionary to prevent shared mutable state
|
|
isolated_proxies = dict(handler.proxies) if handler.proxies else {}
|
|
if isolated_proxies:
|
|
proxied = True
|
|
handlers.append(urllib.request.ProxyHandler(isolated_proxies))
|
|
elif isinstance(handler, urllib.request.ProxyBasicAuthHandler):
|
|
handlers.append(urllib.request.ProxyBasicAuthHandler(handler.passwd))
|
|
elif isinstance(handler, urllib.request.ProxyDigestAuthHandler):
|
|
handlers.append(urllib.request.ProxyDigestAuthHandler(handler.passwd))
|
|
|
|
# If the caller configured no ProxyHandler at all, environment proxies still
|
|
# apply: build_opener() would install a default ProxyHandler from
|
|
# getproxies(). Treat that as proxied too, because the proxy -- not NLTK --
|
|
# is then the egress that resolves names and performs the CONNECT tunnel; the
|
|
# connect-time pinning handlers cannot tunnel and would break proxied HTTPS.
|
|
if not proxied and not has_proxy_handler and urllib.request.getproxies():
|
|
proxied = True
|
|
|
|
if not proxied:
|
|
# No proxy in effect: NLTK makes the connection itself, so pin the
|
|
# validated IP (a rebinding hostname cannot be re-resolved to an internal
|
|
# address at connect time). Add an explicit empty ProxyHandler so
|
|
# build_opener() does not silently re-enable environment proxies, which
|
|
# the pinning handlers cannot tunnel through.
|
|
if not has_proxy_handler:
|
|
handlers.append(urllib.request.ProxyHandler({}))
|
|
handlers.append(_SafeHTTPHandler())
|
|
handlers.append(_SafeHTTPSHandler())
|
|
|
|
opener = urllib.request.build_opener(*handlers)
|
|
return opener.open(url, *args, **kwargs)
|
|
|
|
|
|
def open(file, mode="r", *, context="pathsec.open", required_root=None, **kwargs):
|
|
"""Secure wrapper for builtins.open."""
|
|
# 1. Allow file descriptors (integers) to pass through, matching original logic
|
|
if isinstance(file, int):
|
|
validate_path(file, context=context, required_root=required_root)
|
|
return builtins.open(file, mode=mode, **kwargs)
|
|
|
|
# 2. Force extraction of the real path from PathLike objects
|
|
try:
|
|
raw_path = os.fspath(file)
|
|
except TypeError:
|
|
raise TypeError("Path must be a string, bytes, or os.PathLike") from None
|
|
|
|
# 3. Strict primitive enforcement against type manipulation
|
|
if type(raw_path) not in (str, bytes):
|
|
raise TypeError(
|
|
f"Strict security policy: Path must resolve to exact str or bytes, not '{type(raw_path).__name__}'"
|
|
)
|
|
|
|
if type(raw_path) is bytes:
|
|
raw_path = os.fsdecode(raw_path)
|
|
|
|
# 4. Execution Substitution: validate and open the pure primitive, discarding the original object
|
|
validate_path(raw_path, context=context, required_root=required_root)
|
|
return builtins.open(raw_path, mode=mode, **kwargs)
|
|
|
|
|
|
class ZipFile(zipfile.ZipFile):
|
|
"""Secure wrapper for zipfile.ZipFile."""
|
|
|
|
def __init__(self, file, *args, **kwargs):
|
|
# zipfile.ZipFile also accepts file-like objects (e.g., io.BytesIO).
|
|
# We only strictly normalize and validate path-like objects.
|
|
if isinstance(file, (str, bytes, os.PathLike)):
|
|
try:
|
|
raw_path = os.fspath(file)
|
|
except TypeError:
|
|
raise TypeError(
|
|
"Path must be a string, bytes, or os.PathLike"
|
|
) from None
|
|
|
|
if type(raw_path) not in (str, bytes):
|
|
raise TypeError(
|
|
f"Strict security policy: Path must resolve to exact str or bytes, not '{type(raw_path).__name__}'"
|
|
)
|
|
|
|
if type(raw_path) is bytes:
|
|
raw_path = os.fsdecode(raw_path)
|
|
|
|
validate_path(raw_path, context="pathsec.ZipFile")
|
|
file_to_open = raw_path
|
|
else:
|
|
file_to_open = file
|
|
|
|
super().__init__(file_to_open, *args, **kwargs)
|
|
|
|
def extract(self, member, path=None, pwd=None):
|
|
validate_zip_archive(self, path or os.getcwd(), specific_member=member)
|
|
return super().extract(member, path, pwd)
|
|
|
|
def extractall(self, path=None, members=None, pwd=None):
|
|
validate_zip_archive(self, path or os.getcwd())
|
|
super().extractall(path, members, pwd)
|
|
|
|
|
|
__all__ = [
|
|
"validate_path",
|
|
"validate_network_url",
|
|
"validate_zip_archive",
|
|
"open",
|
|
"urlopen",
|
|
"ZipFile",
|
|
"ENFORCE",
|
|
]
|