apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Performance and precision pass (#64)

Browse source
This commit is contained in:
Eli Peter 2026-05-04 19:58:04 -04:00 committed by GitHub
parent c7c5e0f3a1
commit fb698d2c27
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
97 changed files with 9932 additions and 517 deletions
Download patch file Download diff file Expand all files Collapse all files

33
src/labels/python.rs
View file

@ -25,6 +25,10 @@ pub static RULES: &[LabelRule] = &[
"request.url",
"request.base_url",
"request.host",
"request.match_info",
"request.rel_url",
"request.query",
"request.path",
// Common alias: from flask import request as flask_request
"flask_request.args",
"flask_request.form",
@ -227,7 +231,15 @@ pub static RULES: &[LabelRule] = &[
case_sensitive: false,
},
LabelRule {
matchers: &["send_file", "send_from_directory"],
matchers: &[
"send_file",
"send_from_directory",
// aiohttp file response — sends file at the supplied path,
// semantically identical to Flask's send_file (CVE-2024-23334).
"FileResponse",
"web.FileResponse",
"aiohttp.web.FileResponse",
],
label: DataLabel::Sink(Cap::FILE_IO),
case_sensitive: false,
},
@ -274,6 +286,25 @@ pub static RULES: &[LabelRule] = &[
},
];
/// Method-call validators that strip caps from their *receiver* (and
/// any equivalence-class-shaped args) on success, instead of clearing
/// the return value. Distinct from `RULES`'s `Sanitizer` label, which
/// only clears the return — a poor fit for idioms whose effect is
/// raise-on-failure rather than value-replacement.
///
/// Modeled idioms:
///
/// * `path.relative_to(base)` (pathlib) — raises `ValueError` if `path`
/// is not under `base`. After a successful return, the receiver is
/// path-contained in `base`. Strips `Cap::FILE_IO`. Motivated by
/// CVE-2024-23334 (aiohttp StaticResource symlink-bypass) where the
/// patched code calls `filepath.relative_to(self._directory)` inside
/// a try/except and serves `filepath` afterwards.
pub static RECEIVER_VALIDATORS: &[(&str, Cap)] = &[
("relative_to", Cap::FILE_IO),
(".relative_to", Cap::FILE_IO),
];
pub static GATED_SINKS: &[SinkGate] = &[
// Legacy single-kwarg gate retained for back-compat: Popen(cmd, shell=True).
SinkGate {