Resolve 29 open CodeQL security alerts across 5 files

py/flask-debug (#214): - debug_web_manual.py: read debug mode from LEDMATRIX_FLASK_DEBUG env var instead of hardcoded True py/stack-trace-exposure (#216, #218): - api_v3.py execute_system_action: remove subprocess stdout/stderr from HTTP responses; log via logger instead - api_v3.py get_git_version: validate output matches safe ref format (^[a-zA-Z0-9._-]+$) before including in response - api_v3.py: remove all remaining traceback.format_exc() dead variables and print() debug calls (replaced with logger.debug/warning) py/reflective-xss (#207, #208, #209, #210, #211, #212): - api_v3.py: remove plugin_id from all error/success response messages (uninstall, install, update, health, not-found responses) - pages_v3.py load_partial: return static "Partial not found" message instead of echoing partial_name - pages_v3.py _load_starlark_config_partial: add app_id regex validation, use static error messages instead of f-strings with app_id py/path-injection (#187–#206): - pages_v3.py _load_plugin_config_partial: resolve plugins_base and validate _plugin_dir with relative_to() before all file operations; same for assets metadata directory - pages_v3.py _load_starlark_config_partial: resolve starlark_base and validate schema_file/config_file paths with relative_to() - plugin_loader.py _find_plugin_directory: resolve plugins_dir and validate strategy-2 candidates with relative_to() - plugin_loader.py install_dependencies: resolve plugin_dir first, then construct requirements_file and marker_path from resolved base - plugin_loader.py load_module: resolve plugin_dir with strict=True and validate entry_file with relative_to() before exec_module Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 22:13:32 +00:00 · 2026-05-24 08:19:50 -04:00
parent 909db0993f
commit d96db23992
4 changed files with 152 additions and 237 deletions
--- a/src/plugin_system/plugin_loader.py
+++ b/src/plugin_system/plugin_loader.py
@@ -75,14 +75,16 @@ class PluginLoader:
                self.logger.debug("Using plugin directory from discovery mapping: %s", plugin_dir)
                return plugin_dir
        
-        # Strategy 2: Direct paths
-        plugin_dir = plugins_dir / plugin_id
-        if plugin_dir.exists():
-            return plugin_dir
-        
-        plugin_dir = plugins_dir / f"ledmatrix-{plugin_id}"
-        if plugin_dir.exists():
-            return plugin_dir
+        # Strategy 2: Direct paths — resolve and validate they stay within plugins_dir
+        plugins_dir_resolved = plugins_dir.resolve()
+        for _candidate_name in (plugin_id, f"ledmatrix-{plugin_id}"):
+            _candidate = (plugins_dir_resolved / _candidate_name).resolve()
+            try:
+                _candidate.relative_to(plugins_dir_resolved)
+            except ValueError:
+                continue
+            if _candidate.exists():
+                return _candidate
        
        # Strategy 3: Case-insensitive search
        normalized_id = plugin_id.lower()
@@ -143,21 +145,16 @@ class PluginLoader:
        Returns:
            True if dependencies installed or not needed, False on error
        """
-        requirements_file = plugin_dir / "requirements.txt"
-        if not requirements_file.exists():
-            return True  # No dependencies needed
-
-        # Resolve and validate plugin_dir before constructing derived paths from it
+        # Resolve and validate plugin_dir before constructing any derived paths
        try:
            plugin_dir_resolved = plugin_dir.resolve(strict=True)
        except OSError:
            self.logger.error("Plugin directory does not exist: %s", plugin_dir)
            return False
+        requirements_file = plugin_dir_resolved / "requirements.txt"
+        if not requirements_file.exists():
+            return True  # No dependencies needed
        marker_path = plugin_dir_resolved / ".dependencies_installed"
-        try:
-            marker_path.relative_to(plugin_dir_resolved)
-        except ValueError:
-            return False

        # Check if already installed
        if marker_path.exists():
@@ -374,9 +371,17 @@ class PluginLoader:
        Returns:
            Loaded module or None on error
        """
-        entry_file = plugin_dir / entry_point
+        try:
+            plugin_dir_resolved = plugin_dir.resolve(strict=True)
+        except OSError:
+            raise PluginError("Plugin directory not found", plugin_id=plugin_id)
+        entry_file = (plugin_dir_resolved / entry_point).resolve()
+        try:
+            entry_file.relative_to(plugin_dir_resolved)
+        except ValueError:
+            raise PluginError("Invalid entry point path", plugin_id=plugin_id)
        if not entry_file.exists():
-            error_msg = f"Entry point file not found: {entry_file} for plugin {plugin_id}"
+            error_msg = f"Entry point file not found for plugin {plugin_id}"
            self.logger.error(error_msg)
            raise PluginError(error_msg, plugin_id=plugin_id, context={'entry_file': str(entry_file)})