security: implement critical Week 1 security fixes and CI/CD pipeline#6
Open
Z0shua wants to merge 2 commits into
Open
security: implement critical Week 1 security fixes and CI/CD pipeline#6Z0shua wants to merge 2 commits into
Z0shua wants to merge 2 commits into
Conversation
Addresses 5 critical security issues: 1. SQL Injection (query_tools.py): Removed unsafe 'where' parameter, now only supports safe parameterized 'filters' with equality checks 2. Race Condition (sandbox_manager.py): Fixed sandbox max check race condition by moving limit check inside lock (double-check pattern) 3. Code Validator (code_validator.py): Enhanced dynamic execution protection with comprehensive AST checks for __builtins__, __globals__, getattr/setattr/delattr, and attribute access bypass attempts 4. Credentials Exposure (core/db.py): Removed credentials from logs with safe URL masking, disabled SQL echo by default, fixed deprecated datetime.utcnow(), added connection pooling (pool_size=10, pre_ping=True), and added context manager for automatic session cleanup 5. Docker Timeout (sandbox_manager.py): Added 10-second timeout to Docker client to prevent API call hangs Added comprehensive GitHub Actions CI/CD pipeline (.github/workflows/test.yml): - Runs tests on Python 3.9, 3.10, 3.11, 3.12 with PostgreSQL 15 - Security scanning: bandit, pip-audit, detect-secrets - Coverage tracking and Codecov integration - Docker image build validation Co-authored-by: Copilot <[email protected]>
Week 2 High Priority Improvements: 1. Added comprehensive unit tests (70+ test cases) - tests/test_code_validator.py with complete coverage - Tests for blocked imports, built-ins, attributes, subscripts - Tests for sandbox escape prevention patterns - Real-world code examples and edge cases - All tests verified to pass 2. Fixed bare except Exception blocks - Replaced bare exceptions in query_tools.py with specific types - Now catches (duckdb.Error, OSError, RuntimeError, ValueError) - Better error handling and debugging 3. Added version pinning to all dependencies - All dependencies now have upper and lower bounds - Added pytest-cov>=5.0.0 for coverage reporting - Added mypy, bandit, pip-audit to dev dependencies 4. Added comprehensive pytest configuration - testpaths, markers, strict mode - Coverage reporting configuration - Warning filters and test discovery rules 5. Added mypy configuration for type checking - Enabled check_untyped_defs and strict_equality - Configure Python 3.10 target Impact: - Code validator now fully tested and verified - Dependencies locked to prevent supply chain issues - CI/CD can now track and report test coverage - Type hints can be validated with mypy Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Week 1 & 2 Security Fixes and Code Quality Improvements
This PR addresses critical security issues and implements comprehensive code quality improvements identified in the codebase review.
🔒 Week 1: Critical Security Fixes
1. SQL Injection Prevention
src/omcp_py/tools/query_tools.pywhereparameter entirelyfiltersparameter2. Race Condition - Sandbox Max Check
src/omcp_py/sandbox_manager.py3. Enhanced Code Validator
src/omcp_py/security/code_validator.py4. Credentials & Logging Security
src/omcp_py/core/db.py***instead of passwords)datetime.utcnow()→datetime.now(timezone.utc)src/omcp_py/sandbox_manager.py- Added 10-second Docker timeout5. CI/CD Pipeline
.github/workflows/test.yml)🧪 Week 2: Code Quality & Testing
1. Comprehensive Unit Tests (70+ test cases)
tests/test_code_validator.pyTest Results: All 70+ tests verified to pass ✅
2. Fixed Bare Exception Blocks
src/omcp_py/tools/query_tools.pyexcept Exceptionwith specific exception types(duckdb.Error, OSError, RuntimeError, ValueError)3. Version Pinning - All Dependencies
pyproject.tomlmcp[cli]>=1.6.0,<2.0.0docker>=7.0.0,<8.0.0SQLAlchemy>=2.0,<3.0pandas>=1.5.0,<3.0.0duckdb>=0.8.0,<2.0.0pytest-cov>=5.0.0- coverage reportingmypy>=1.10.0- type checkingbandit>=1.7.0- security scanningpip-audit>=2.6.0- dependency vulnerability scanning4. Comprehensive Pytest Configuration
pyproject.toml5. Type Checking Configuration
pyproject.tomlcheck_untyped_defsandstrict_equality📊 Combined Impact
📦 Changes Summary
Files Modified:
.github/workflows/test.yml(114 lines) - CI/CD pipelinesrc/omcp_py/tools/query_tools.py- SQL injection + bare exceptionssrc/omcp_py/sandbox_manager.py- Race condition + Docker timeoutsrc/omcp_py/security/code_validator.py- Enhanced validationsrc/omcp_py/core/db.py- Credentials + pooling + datetimepyproject.toml- Dependencies, pytest, mypy configFiles Added:
tests/test_code_validator.py(514 lines) - 70+ test cases✅ Testing
All changes verified:
🔄 Next Steps (Week 3-4)
Performance & Scalability (Week 3):
run_in_executor()DevOps & Documentation (Week 4):