fix(wifi): strict bool parsing for force; nosec annotation parity

- api_v3.py: replace bool(...) coercion for force with strict check — only actual boolean True or strings "true"/"1" (case-insensitive) pass; "false", integers, and other strings are treated as False so the Ethernet/WiFi guards and _FORCE_AP_FLAG_PATH cannot be bypassed by accident - wifi_manager.py: add nosec B108 annotation to _IP_FORWARD_SAVE_PATH to match the identical annotation already on _FORCE_AP_FLAG_PATH Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 21:43:32 +00:00 · 2026-05-24 14:31:00 -04:00
parent d81156d53e
commit 6313b9c25f
2 changed files with 3 additions and 2 deletions
--- a/src/wifi_manager.py
+++ b/src/wifi_manager.py
@@ -694,7 +694,7 @@ class WiFiManager:
    # Helpers
    # ---------------------------------------------------------------------------

-    _IP_FORWARD_SAVE_PATH = Path("/tmp/ledmatrix_ip_forward_saved")
+    _IP_FORWARD_SAVE_PATH = Path("/tmp/ledmatrix_ip_forward_saved")  # nosec B108 - process-specific named file; device is single-user RPi
    # Written when AP mode is manually force-enabled; prevents daemon auto-disable
    _FORCE_AP_FLAG_PATH = Path("/tmp/ledmatrix_force_ap_active")  # nosec B108 - process-specific named file; device is single-user RPi

--- a/web_interface/blueprints/api_v3.py
+++ b/web_interface/blueprints/api_v3.py
@@ -6680,7 +6680,8 @@ def enable_ap_mode():
        from src.wifi_manager import WiFiManager

        wifi_manager = WiFiManager()
-        force = bool((request.get_json(silent=True) or {}).get('force', False))
+        _force_raw = (request.get_json(silent=True) or {}).get('force', False)
+        force = _force_raw is True or (isinstance(_force_raw, str) and _force_raw.lower() in ('true', '1'))
        success, message = wifi_manager.enable_ap_mode(force=force)

        if success: