fix(starlark): security and race condition improvements

Security fixes: - Add path traversal validation for output_path in download_star_file - Remove XSS-vulnerable inline onclick handlers, use delegated events - Add type hints to helper functions for better type safety Race condition fixes: - Lock manifest file BEFORE creating temp file in _save_manifest - Hold exclusive lock for entire read-modify-write cycle in _update_manifest_safe - Prevent concurrent writers from racing on manifest updates Other improvements: - Fix pages_v3.py standalone mode to load config.json from disk - Improve error handling with proper logging in cleanup blocks - Add explicit type annotations to Starlark helper functions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-29 12:03:00 +00:00 · 2026-02-19 19:37:09 -05:00
parent aafb238ac9
commit 6a60a57421
5 changed files with 147 additions and 39 deletions
--- a/plugin-repos/starlark-apps/tronbyte_repository.py
+++ b/plugin-repos/starlark-apps/tronbyte_repository.py
@@ -362,6 +362,27 @@ class TronbyteRepository:
        if '..' in star_filename or '/' in star_filename or '\\' in star_filename:
            return False, f"Invalid filename: contains path traversal characters"

+        # Validate output_path to prevent path traversal
+        import tempfile
+        try:
+            resolved_output = output_path.resolve()
+            temp_dir = Path(tempfile.gettempdir()).resolve()
+
+            # Check if output_path is within the system temp directory
+            # Use try/except for compatibility with Python < 3.9 (is_relative_to)
+            try:
+                is_safe = resolved_output.is_relative_to(temp_dir)
+            except AttributeError:
+                # Fallback for Python < 3.9: compare string paths
+                is_safe = str(resolved_output).startswith(str(temp_dir) + '/')
+
+            if not is_safe:
+                logger.warning(f"Path traversal attempt in download_star_file: app_id={app_id}, output_path={output_path}")
+                return False, f"Invalid output_path for {app_id}: must be within temp directory"
+        except Exception as e:
+            logger.error(f"Error validating output_path for {app_id}: {e}")
+            return False, f"Invalid output_path for {app_id}"
+
        # Use provided filename or fall back to app_id.star
        star_path = f"{self.APPS_PATH}/{app_id}/{star_filename}"