From 4be334c6789585cebc9935ad348045dc08714262 Mon Sep 17 00:00:00 2001
From: Chuck <chuck@example.com>
Date: Sat, 30 May 2026 21:22:39 -0400
Subject: [PATCH] fix(security): apply os.path.basename sanitizer + fix Unicode
 escapes + remaining review items
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## CodeQL path-injection (pages_v3.py)
Switch from Path.name to os.path.basename() — the CodeQL-recognised sanitizer
used throughout this codebase (plugin_loader.py lines 74, 157).  All path
operations now use safe_id/safe_fn derived from os.path.basename(), which
CodeQL treats as breaking the taint chain for py/path-injection.

## XSS Unicode escaping (pages_v3.py)
Fix broken defence-in-depth escaping: the previous code used r'<' which is
identical to '<' (a no-op).  Replace with the correct Python double-backslash
literals ('\\u003c', '\\u003e', '\\u0026') which produce the 6-char JS Unicode
escape sequences at runtime, so a crafted plugin_id cannot close the surrounding
<script> tag even if the allowlist were bypassed.

## Nullable type normalization (plugin_config.html)
Schemas using array types like ["null","integer"] or ["null","boolean"] now
have the non-null member extracted before the col_type conditionals, so those
columns render the correct input control (number/checkbox) instead of falling
through to a plain text input.

## file-upload-single.js improvements
- Drop zone now has role="button", tabindex="0", aria-label, and an onkeydown
  handler (Enter/Space) so keyboard-only users can open the file picker
- setValue() now also updates the #_fullpath <p> element so the displayed path
  stays in sync after upload or clear

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 web_interface/blueprints/pages_v3.py          | 48 ++++++++++++-------
 .../v3/js/widgets/file-upload-single.js       | 11 +++--
 .../templates/v3/partials/plugin_config.html  | 17 +++++--
 3 files changed, 53 insertions(+), 23 deletions(-)

diff --git a/web_interface/blueprints/pages_v3.py b/web_interface/blueprints/pages_v3.py
index 03f009a8..0350dba7 100644
--- a/web_interface/blueprints/pages_v3.py
+++ b/web_interface/blueprints/pages_v3.py
@@ -3,6 +3,7 @@ from markupsafe import escape
 import json
 import logging
 import os
+import os.path
 import re
 from pathlib import Path
 
@@ -115,43 +116,56 @@ def serve_plugin_web_ui(plugin_id, filename):
     and loads Tailwind CSS so the fragment runs correctly in a sandboxed iframe.
     """
     # Validate URL-derived values against strict allowlists before any path or
-    # script operations.  This satisfies CodeQL py/path-injection and
-    # py/reflected-xss by ensuring neither value contains path separators,
-    # HTML/JS special chars, or other unexpected content.
+    # script operations.
     if not _SAFE_PLUGIN_ID_RE.match(plugin_id):
         return 'Invalid plugin ID', 400, {'Content-Type': 'text/plain'}
     if not _SAFE_WEB_UI_FILE_RE.match(filename):
         return 'Invalid filename', 400, {'Content-Type': 'text/plain'}
 
+    # os.path.basename() is the CodeQL-recognised path sanitizer used throughout
+    # this codebase (see plugin_loader.py).  Applying it here breaks the taint
+    # chain even though the allowlist above already prevents path separators.
+    safe_id = os.path.basename(plugin_id)
+    safe_fn = os.path.basename(filename)
+    if not safe_id or not safe_fn:
+        return 'Invalid path component', 400, {'Content-Type': 'text/plain'}
+
     try:
         _plugins_base = Path(pages_v3.plugin_manager.plugins_dir).resolve()
-        _plugin_dir   = (_plugins_base / plugin_id).resolve()
-        # Path containment guard — plugin_dir must be inside plugins base
-        _plugin_dir.relative_to(_plugins_base)
 
-        # Mirror PluginManager's ledmatrix- prefix fallback so both naming
-        # conventions (e.g. "flights" installed as "ledmatrix-flights") work.
+        # Reconstruct from sanitised basename — CodeQL-approved pattern.
+        _plugin_dir = (_plugins_base / safe_id).resolve()
+        _plugin_dir.relative_to(_plugins_base)  # containment guard
+
+        # Mirror PluginManager's ledmatrix- prefix fallback.
         if not _plugin_dir.exists():
-            _alt = (_plugins_base / f'ledmatrix-{plugin_id}').resolve()
+            _alt_id  = os.path.basename(f'ledmatrix-{safe_id}')
+            _alt     = (_plugins_base / _alt_id).resolve()
             try:
                 _alt.relative_to(_plugins_base)
                 _plugin_dir = _alt
             except ValueError:
-                pass  # alt path escaped base — ignore
+                pass
 
-        web_ui_path = (_plugin_dir / 'web_ui' / filename).resolve()
-        # Second containment guard — must stay inside the plugin's web_ui dir
-        web_ui_path.relative_to(_plugin_dir / 'web_ui')
+        web_ui_path = (_plugin_dir / 'web_ui' / safe_fn).resolve()
+        web_ui_path.relative_to(_plugin_dir / 'web_ui')  # second guard
 
         if not web_ui_path.exists():
             return 'Not found', 404, {'Content-Type': 'text/plain'}
 
         fragment = web_ui_path.read_text(encoding='utf-8')
 
-        # json.dumps produces a safe JSON string, but </script> inside it could
-        # break the enclosing script tag.  Re-encode those bytes as Unicode
-        # escapes so the value is inert in an HTML context.
-        safe_plugin_id_js = json.dumps(plugin_id).replace('<', r'<').replace('>', r'>').replace('&', r'&')
+        # json.dumps wraps the value in quotes.  Replace HTML meta-chars with
+        # their JS Unicode escape sequences so the value cannot close or escape
+        # the enclosing <script> tag.
+        # r'<' is the 6-char literal string <, which JavaScript
+        # interprets as <.  This is the standard JSON-in-HTML hardening pattern.
+        safe_plugin_id_js = (
+            json.dumps(safe_id)
+            .replace('<', '\\u003c')
+            .replace('>', '\\u003e')
+            .replace('&', '\\u0026')
+        )
 
         page = (
             '<!DOCTYPE html>\n'
diff --git a/web_interface/static/v3/js/widgets/file-upload-single.js b/web_interface/static/v3/js/widgets/file-upload-single.js
index 35956c8f..5ab42542 100644
--- a/web_interface/static/v3/js/widgets/file-upload-single.js
+++ b/web_interface/static/v3/js/widgets/file-upload-single.js
@@ -90,7 +90,7 @@
                      </div>`;
             html += `<div class="flex-1 min-w-0">
                          <p id="${fieldId}_filename" class="text-xs text-gray-600 truncate">${escapeHtml(currentValue.split('/').pop() || '')}</p>
-                         <p class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
+                         <p id="${fieldId}_fullpath" class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
                      </div>`;
             html += `<button type="button"
                              onclick="window.LEDMatrixWidgets.getHandlers('file-upload-single').onClear('${fieldId}')"
@@ -99,12 +99,15 @@
                      </button>`;
             html += '</div>';
 
-            // Upload drop zone (always shown, acts as change button when value is set)
+            // Upload drop zone — keyboard accessible via tabindex + Enter/Space
             html += `<div id="${fieldId}_drop_zone"
                           class="border-2 border-dashed border-gray-300 rounded-lg p-3 text-center hover:border-blue-400 transition-colors cursor-pointer"
+                          role="button" tabindex="0"
+                          aria-label="${hasImage ? 'Replace image' : 'Upload image'}"
                           ondrop="window.LEDMatrixWidgets.getHandlers('file-upload-single').onDrop(event, '${fieldId}')"
                           ondragover="event.preventDefault()"
-                          onclick="document.getElementById('${fieldId}_file_input').click()">
+                          onclick="document.getElementById('${fieldId}_file_input').click()"
+                          onkeydown="if(event.key==='Enter'||event.key===' '){event.preventDefault();document.getElementById('${fieldId}_file_input').click();}">
                          <input type="file"
                                 id="${fieldId}_file_input"
                                 accept="${escapeHtml(allowedTypes)}"
@@ -151,6 +154,8 @@
                 if (thumbPlaceholder) thumbPlaceholder.style.display = 'none';
             }
             if (filename) filename.textContent = hasImage ? value.split('/').pop() : '';
+            const fullpath = document.getElementById(`${safeId}_fullpath`);
+            if (fullpath) fullpath.textContent = value || '';
 
             // Update drop zone hint text
             const hint = dropZone ? dropZone.querySelector('p') : null;
diff --git a/web_interface/templates/v3/partials/plugin_config.html b/web_interface/templates/v3/partials/plugin_config.html
index 4d40483a..12fdfc4d 100644
--- a/web_interface/templates/v3/partials/plugin_config.html
+++ b/web_interface/templates/v3/partials/plugin_config.html
@@ -504,9 +504,14 @@
                                     {% for col_name in display_columns %}
                                         {% set col_def = item_properties.get(col_name, {}) %}
                                         {% set col_title = col_def.get('title', col_name|replace('_', ' ')|title) %}
-                                        {% set col_xwidget = col_def.get('x-widget', '') %}
+                                        {% set col_xwidget = col_def.get('x-widget') or col_def.get('x_widget', '') %}
                                         {% set col_enum = col_def.get('enum', []) %}
-                                        {% set col_ctype = col_def.get('type', 'string') %}
+                                        {% set _raw_ctype = col_def.get('type', 'string') %}
+                                        {% if _raw_ctype is iterable and _raw_ctype is not string %}
+                                            {% set col_ctype = (_raw_ctype | reject('equalto','null') | list | first) or 'string' %}
+                                        {% else %}
+                                            {% set col_ctype = _raw_ctype or 'string' %}
+                                        {% endif %}
                                         {% if col_xwidget == 'date-picker' %}{% set col_min_w = '140px' %}
                                         {% elif col_xwidget == 'time-picker' %}{% set col_min_w = '115px' %}
                                         {% elif col_xwidget == 'file-upload-single' %}{% set col_min_w = '200px' %}
@@ -525,7 +530,13 @@
                                 <tr class="array-table-row" data-index="{{ item_index }}">
                                     {% for col_name in display_columns %}
                                         {% set col_def = item_properties.get(col_name, {}) %}
-                                        {% set col_type = col_def.get('type', 'string') %}
+                                        {# Normalize nullable types e.g. ["null","integer"] → "integer" #}
+                                        {% set _raw_type = col_def.get('type', 'string') %}
+                                        {% if _raw_type is iterable and _raw_type is not string %}
+                                            {% set col_type = (_raw_type | reject('equalto','null') | list | first) or 'string' %}
+                                        {% else %}
+                                            {% set col_type = _raw_type or 'string' %}
+                                        {% endif %}
                                         {% set col_xwidget = col_def.get('x-widget') or col_def.get('x_widget', '') %}
                                         {% set col_enum = col_def.get('enum', []) %}
                                         {% set col_value = item.get(col_name, col_def.get('default', '')) %}