mirror of
https://github.com/ChuckBuilds/LEDMatrix.git
synced 2026-05-15 18:03:32 +00:00
3bdd694b2e
Flask debug=True (real fix):
- web_interface/app.py: debug=True in __main__ block exposes the Werkzeug
interactive debugger (arbitrary code execution). Changed to
os.environ.get('FLASK_DEBUG', '0') == '1' — off by default, opt-in
via environment variable for local development.
nosec annotations (accepted risk with documented rationale):
- disk_cache.py: os.chmod(0o660) is intentional — web UI and LED matrix
service share a group, 660 gives group write while denying world access
(B103 + Semgrep insecure-file-permissions suppressed in Codacy)
- wifi_manager.py: urlopen to hardcoded connectivity-check.ubuntu.com URL
(B310 — no user input involved)
- font_manager.py: urlretrieve URL comes from user's own config file on
their local device (B310)
- start_web_conditionally.py: os.execvp with both sys.executable and a
fixed PROJECT_DIR-relative constant (B606)
Confirmed false positives suppressed via Codacy API (15 issues):
- SSRF (3x): client-side JS fetch — SSRF is server-side; browser fetch
is CORS-restricted to same origin
- B105 (3x): test fixtures use dummy secrets by design; store_manager
checks for the placeholder string, it is not itself a secret
- PMD numeric literal (2x): 10000000 is within Number.MAX_SAFE_INTEGER
- Prototype pollution (1x): read-only schema traversal, no writes
- no-unsanitized_method (1x): dynamic import() is CORS-restricted
- detect-unsafe-regex (1x): operates on server-controlled config values
- plugin-repos B103 (1x): vendor code chmod on executable
- Semgrep insecure-file-permissions (3x): same disk_cache 0o660 as above
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
6.2 KiB
6.2 KiB