fix(security): apply os.path.basename sanitizer + fix Unicode escapes + remaining review items

## CodeQL path-injection (pages_v3.py) Switch from Path.name to os.path.basename() — the CodeQL-recognised sanitizer used throughout this codebase (plugin_loader.py lines 74, 157). All path operations now use safe_id/safe_fn derived from os.path.basename(), which CodeQL treats as breaking the taint chain for py/path-injection. ## XSS Unicode escaping (pages_v3.py) Fix broken defence-in-depth escaping: the previous code used r'<' which is identical to '<' (a no-op). Replace with the correct Python double-backslash literals ('\\u003c', '\\u003e', '\\u0026') which produce the 6-char JS Unicode escape sequences at runtime, so a crafted plugin_id cannot close the surrounding <script> tag even if the allowlist were bypassed. ## Nullable type normalization (plugin_config.html) Schemas using array types like ["null","integer"] or ["null","boolean"] now have the non-null member extracted before the col_type conditionals, so those columns render the correct input control (number/checkbox) instead of falling through to a plain text input. ## file-upload-single.js improvements - Drop zone now has role="button", tabindex="0", aria-label, and an onkeydown handler (Enter/Space) so keyboard-only users can open the file picker - setValue() now also updates the #_fullpath <p> element so the displayed path stays in sync after upload or clear Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 16:13:31 +00:00 · 2026-05-30 21:22:39 -04:00
parent e873632f95
commit 4be334c678
3 changed files with 53 additions and 23 deletions
--- a/web_interface/blueprints/pages_v3.py
+++ b/web_interface/blueprints/pages_v3.py
@@ -3,6 +3,7 @@ from markupsafe import escape
 import json
 import logging
 import os
+import os.path
 import re
 from pathlib import Path

@@ -115,43 +116,56 @@ def serve_plugin_web_ui(plugin_id, filename):
    and loads Tailwind CSS so the fragment runs correctly in a sandboxed iframe.
    """
    # Validate URL-derived values against strict allowlists before any path or
-    # script operations.  This satisfies CodeQL py/path-injection and
-    # py/reflected-xss by ensuring neither value contains path separators,
-    # HTML/JS special chars, or other unexpected content.
+    # script operations.
    if not _SAFE_PLUGIN_ID_RE.match(plugin_id):
        return 'Invalid plugin ID', 400, {'Content-Type': 'text/plain'}
    if not _SAFE_WEB_UI_FILE_RE.match(filename):
        return 'Invalid filename', 400, {'Content-Type': 'text/plain'}

+    # os.path.basename() is the CodeQL-recognised path sanitizer used throughout
+    # this codebase (see plugin_loader.py).  Applying it here breaks the taint
+    # chain even though the allowlist above already prevents path separators.
+    safe_id = os.path.basename(plugin_id)
+    safe_fn = os.path.basename(filename)
+    if not safe_id or not safe_fn:
+        return 'Invalid path component', 400, {'Content-Type': 'text/plain'}
+
    try:
        _plugins_base = Path(pages_v3.plugin_manager.plugins_dir).resolve()
-        _plugin_dir   = (_plugins_base / plugin_id).resolve()
-        # Path containment guard — plugin_dir must be inside plugins base
-        _plugin_dir.relative_to(_plugins_base)

-        # Mirror PluginManager's ledmatrix- prefix fallback so both naming
-        # conventions (e.g. "flights" installed as "ledmatrix-flights") work.
+        # Reconstruct from sanitised basename — CodeQL-approved pattern.
+        _plugin_dir = (_plugins_base / safe_id).resolve()
+        _plugin_dir.relative_to(_plugins_base)  # containment guard
+
+        # Mirror PluginManager's ledmatrix- prefix fallback.
        if not _plugin_dir.exists():
-            _alt = (_plugins_base / f'ledmatrix-{plugin_id}').resolve()
+            _alt_id  = os.path.basename(f'ledmatrix-{safe_id}')
+            _alt     = (_plugins_base / _alt_id).resolve()
            try:
                _alt.relative_to(_plugins_base)
                _plugin_dir = _alt
            except ValueError:
-                pass  # alt path escaped base — ignore
+                pass

-        web_ui_path = (_plugin_dir / 'web_ui' / filename).resolve()
-        # Second containment guard — must stay inside the plugin's web_ui dir
-        web_ui_path.relative_to(_plugin_dir / 'web_ui')
+        web_ui_path = (_plugin_dir / 'web_ui' / safe_fn).resolve()
+        web_ui_path.relative_to(_plugin_dir / 'web_ui')  # second guard

        if not web_ui_path.exists():
            return 'Not found', 404, {'Content-Type': 'text/plain'}

        fragment = web_ui_path.read_text(encoding='utf-8')

-        # json.dumps produces a safe JSON string, but </script> inside it could
-        # break the enclosing script tag.  Re-encode those bytes as Unicode
-        # escapes so the value is inert in an HTML context.
-        safe_plugin_id_js = json.dumps(plugin_id).replace('<', r'<').replace('>', r'>').replace('&', r'&')
+        # json.dumps wraps the value in quotes.  Replace HTML meta-chars with
+        # their JS Unicode escape sequences so the value cannot close or escape
+        # the enclosing <script> tag.
+        # r'<' is the 6-char literal string <, which JavaScript
+        # interprets as <.  This is the standard JSON-in-HTML hardening pattern.
+        safe_plugin_id_js = (
+            json.dumps(safe_id)
+            .replace('<', '\\u003c')
+            .replace('>', '\\u003e')
+            .replace('&', '\\u0026')
+        )

        page = (
            '<!DOCTYPE html>\n'
--- a/web_interface/static/v3/js/widgets/file-upload-single.js
+++ b/web_interface/static/v3/js/widgets/file-upload-single.js
@@ -90,7 +90,7 @@
                     </div>`;
            html += `<div class="flex-1 min-w-0">
                         <p id="${fieldId}_filename" class="text-xs text-gray-600 truncate">${escapeHtml(currentValue.split('/').pop() || '')}</p>
-                         <p class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
+                         <p id="${fieldId}_fullpath" class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
                     </div>`;
            html += `<button type="button"
                             onclick="window.LEDMatrixWidgets.getHandlers('file-upload-single').onClear('${fieldId}')"
@@ -99,12 +99,15 @@
                     </button>`;
            html += '</div>';

-            // Upload drop zone (always shown, acts as change button when value is set)
+            // Upload drop zone — keyboard accessible via tabindex + Enter/Space
            html += `<div id="${fieldId}_drop_zone"
                          class="border-2 border-dashed border-gray-300 rounded-lg p-3 text-center hover:border-blue-400 transition-colors cursor-pointer"
+                          role="button" tabindex="0"
+                          aria-label="${hasImage ? 'Replace image' : 'Upload image'}"
                          ondrop="window.LEDMatrixWidgets.getHandlers('file-upload-single').onDrop(event, '${fieldId}')"
                          ondragover="event.preventDefault()"
-                          onclick="document.getElementById('${fieldId}_file_input').click()">
+                          onclick="document.getElementById('${fieldId}_file_input').click()"
+                          onkeydown="if(event.key==='Enter'||event.key===' '){event.preventDefault();document.getElementById('${fieldId}_file_input').click();}">
                         <input type="file"
                                id="${fieldId}_file_input"
                                accept="${escapeHtml(allowedTypes)}"
@@ -151,6 +154,8 @@
                if (thumbPlaceholder) thumbPlaceholder.style.display = 'none';
            }
            if (filename) filename.textContent = hasImage ? value.split('/').pop() : '';
+            const fullpath = document.getElementById(`${safeId}_fullpath`);
+            if (fullpath) fullpath.textContent = value || '';

            // Update drop zone hint text
            const hint = dropZone ? dropZone.querySelector('p') : null;
--- a/web_interface/templates/v3/partials/plugin_config.html
+++ b/web_interface/templates/v3/partials/plugin_config.html
@@ -504,9 +504,14 @@
                                    {% for col_name in display_columns %}
                                        {% set col_def = item_properties.get(col_name, {}) %}
                                        {% set col_title = col_def.get('title', col_name|replace('_', ' ')|title) %}
-                                        {% set col_xwidget = col_def.get('x-widget', '') %}
+                                        {% set col_xwidget = col_def.get('x-widget') or col_def.get('x_widget', '') %}
                                        {% set col_enum = col_def.get('enum', []) %}
-                                        {% set col_ctype = col_def.get('type', 'string') %}
+                                        {% set _raw_ctype = col_def.get('type', 'string') %}
+                                        {% if _raw_ctype is iterable and _raw_ctype is not string %}
+                                            {% set col_ctype = (_raw_ctype | reject('equalto','null') | list | first) or 'string' %}
+                                        {% else %}
+                                            {% set col_ctype = _raw_ctype or 'string' %}
+                                        {% endif %}
                                        {% if col_xwidget == 'date-picker' %}{% set col_min_w = '140px' %}
                                        {% elif col_xwidget == 'time-picker' %}{% set col_min_w = '115px' %}
                                        {% elif col_xwidget == 'file-upload-single' %}{% set col_min_w = '200px' %}
@@ -525,7 +530,13 @@
                                <tr class="array-table-row" data-index="{{ item_index }}">
                                    {% for col_name in display_columns %}
                                        {% set col_def = item_properties.get(col_name, {}) %}
-                                        {% set col_type = col_def.get('type', 'string') %}
+                                        {# Normalize nullable types e.g. ["null","integer"] → "integer" #}
+                                        {% set _raw_type = col_def.get('type', 'string') %}
+                                        {% if _raw_type is iterable and _raw_type is not string %}
+                                            {% set col_type = (_raw_type | reject('equalto','null') | list | first) or 'string' %}
+                                        {% else %}
+                                            {% set col_type = _raw_type or 'string' %}
+                                        {% endif %}
                                        {% set col_xwidget = col_def.get('x-widget') or col_def.get('x_widget', '') %}
                                        {% set col_enum = col_def.get('enum', []) %}
                                        {% set col_value = item.get(col_name, col_def.get('default', '')) %}