mirror of
https://github.com/ChuckBuilds/LEDMatrix.git
synced 2026-05-15 18:03:32 +00:00
3bdd694b2e
Flask debug=True (real fix):
- web_interface/app.py: debug=True in __main__ block exposes the Werkzeug
interactive debugger (arbitrary code execution). Changed to
os.environ.get('FLASK_DEBUG', '0') == '1' — off by default, opt-in
via environment variable for local development.
nosec annotations (accepted risk with documented rationale):
- disk_cache.py: os.chmod(0o660) is intentional — web UI and LED matrix
service share a group, 660 gives group write while denying world access
(B103 + Semgrep insecure-file-permissions suppressed in Codacy)
- wifi_manager.py: urlopen to hardcoded connectivity-check.ubuntu.com URL
(B310 — no user input involved)
- font_manager.py: urlretrieve URL comes from user's own config file on
their local device (B310)
- start_web_conditionally.py: os.execvp with both sys.executable and a
fixed PROJECT_DIR-relative constant (B606)
Confirmed false positives suppressed via Codacy API (15 issues):
- SSRF (3x): client-side JS fetch — SSRF is server-side; browser fetch
is CORS-restricted to same origin
- B105 (3x): test fixtures use dummy secrets by design; store_manager
checks for the placeholder string, it is not itself a secret
- PMD numeric literal (2x): 10000000 is within Number.MAX_SAFE_INTEGER
- Prototype pollution (1x): read-only schema traversal, no writes
- no-unsanitized_method (1x): dynamic import() is CORS-restricted
- detect-unsafe-regex (1x): operates on server-controlled config values
- plugin-repos B103 (1x): vendor code chmod on executable
- Semgrep insecure-file-permissions (3x): same disk_cache 0o660 as above
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Utility Scripts
This directory contains utility scripts for maintenance and system operations.
Scripts
clear_cache.py- Clears LEDMatrix cache data (specific keys or all cache)start_web_conditionally.py- Conditionally starts the web interface based on config settingswifi_monitor_daemon.py- Background daemon that monitors WiFi/Ethernet connection and manages access point modecleanup_venv.sh- Cleans up Python virtual environment filesclear_python_cache.sh- Clears Python cache files (pycache, *.pyc, etc.)
Usage
Clear Cache
python3 scripts/utils/clear_cache.py --list # List cache keys
python3 scripts/utils/clear_cache.py --clear-all # Clear all cache
python3 scripts/utils/clear_cache.py --clear <key> # Clear specific key
Start Web Interface Conditionally
This script is typically called by the systemd service (ledmatrix-web.service) and checks the web_display_autostart setting in config/config.json before starting the web interface.
WiFi Monitor Daemon
This daemon is typically run as a systemd service (ledmatrix-wifi-monitor.service) and automatically manages WiFi access point mode based on network connectivity.