zexus 1.6.2 → 1.6.4

package/src/zexus/debug_sanitizer.py

@@ -0,0 +1,250 @@
+"""
+Zexus Debug Information Sanitizer
+
+Security Fix #10: Debug Info Sanitization
+Prevents sensitive information from leaking through debug output and error messages.
+"""
+
+import re
+import os
+from typing import Any, Dict, List, Optional
+
+
+class DebugSanitizer:
+    """
+    Sanitizes debug information to prevent sensitive data leakage.
+    
+    Removes or masks:
+    - Passwords and API keys
+    - Database connection strings
+    - File paths (optional, based on mode)
+    - Environment variables
+    - Stack traces (in production mode)
+    """
+    
+    # Patterns for sensitive data
+    SENSITIVE_PATTERNS = [
+        # Passwords
+        (re.compile(r'password\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'password=***'),
+        (re.compile(r'passwd\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'passwd=***'),
+        (re.compile(r'pwd\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'pwd=***'),
+        
+        # API Keys and Tokens
+        (re.compile(r'api[_-]?key\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'api_key=***'),
+        (re.compile(r'secret[_-]?key\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'secret_key=***'),
+        (re.compile(r'auth[_-]?token\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'auth_token=***'),
+        (re.compile(r'access[_-]?token\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), 'access_token=***'),
+        (re.compile(r'bearer\s+([a-zA-Z0-9_\-\.]+)', re.IGNORECASE), 'bearer ***'),
+        
+        # Database credentials
+        (re.compile(r'mysql://([^:]+):([^@]+)@', re.IGNORECASE), 'mysql://***:***@'),
+        (re.compile(r'postgres://([^:]+):([^@]+)@', re.IGNORECASE), 'postgres://***:***@'),
+        (re.compile(r'mongodb://([^:]+):([^@]+)@', re.IGNORECASE), 'mongodb://***:***@'),
+        
+        # Generic key=value patterns with sensitive keywords
+        (re.compile(r'(private[_-]?key)\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), r'\1=***'),
+        (re.compile(r'(encryption[_-]?key)\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), r'\1=***'),
+        (re.compile(r'(client[_-]?secret)\s*[=:]\s*["\']?([^"\'\s]+)["\']?', re.IGNORECASE), r'\1=***'),
+    ]
+    
+    # Environment variables that should be masked
+    SENSITIVE_ENV_VARS = {
+        'PASSWORD', 'SECRET', 'TOKEN', 'KEY', 'API_KEY', 'DB_PASSWORD',
+        'DATABASE_PASSWORD', 'MYSQL_PASSWORD', 'POSTGRES_PASSWORD',
+        'MONGODB_PASSWORD', 'REDIS_PASSWORD', 'AWS_SECRET_ACCESS_KEY',
+        'PRIVATE_KEY', 'ENCRYPTION_KEY', 'JWT_SECRET'
+    }
+    
+    def __init__(self, production_mode: bool = None):
+        """
+        Initialize sanitizer
+        
+        Args:
+            production_mode: If True, applies stricter sanitization.
+                           If None, auto-detects from environment.
+        """
+        if production_mode is None:
+            # Auto-detect from environment
+            env_mode = os.environ.get('ZEXUS_ENV', 'development').lower()
+            production_mode = env_mode in ('production', 'prod')
+        
+        self.production_mode = production_mode
+    
+    def sanitize_message(self, message: str) -> str:
+        """
+        Sanitize a message by removing sensitive information
+        
+        Args:
+            message: The message to sanitize
+            
+        Returns:
+            Sanitized message
+        """
+        if not isinstance(message, str):
+            message = str(message)
+        
+        result = message
+        
+        # Apply all sensitive patterns
+        for pattern, replacement in self.SENSITIVE_PATTERNS:
+            result = pattern.sub(replacement, result)
+        
+        # Sanitize file paths in production mode
+        if self.production_mode:
+            result = self._sanitize_file_paths(result)
+        
+        return result
+    
+    def sanitize_dict(self, data: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Sanitize a dictionary by masking sensitive values
+        
+        Args:
+            data: Dictionary to sanitize
+            
+        Returns:
+            Sanitized dictionary
+        """
+        if not isinstance(data, dict):
+            return data
+        
+        result = {}
+        for key, value in data.items():
+            # Check if key indicates sensitive data
+            key_lower = key.lower()
+            is_sensitive = any(
+                sensitive in key_lower 
+                for sensitive in ['password', 'secret', 'token', 'key', 'api']
+            )
+            
+            if is_sensitive:
+                result[key] = '***'
+            elif isinstance(value, dict):
+                result[key] = self.sanitize_dict(value)
+            elif isinstance(value, list):
+                result[key] = self.sanitize_list(value)
+            elif isinstance(value, str):
+                result[key] = self.sanitize_message(value)
+            else:
+                result[key] = value
+        
+        return result
+    
+    def sanitize_list(self, data: List[Any]) -> List[Any]:
+        """Sanitize a list by sanitizing each element"""
+        if not isinstance(data, list):
+            return data
+        
+        result = []
+        for item in data:
+            if isinstance(item, dict):
+                result.append(self.sanitize_dict(item))
+            elif isinstance(item, list):
+                result.append(self.sanitize_list(item))
+            elif isinstance(item, str):
+                result.append(self.sanitize_message(item))
+            else:
+                result.append(item)
+        
+        return result
+    
+    def sanitize_stack_trace(self, stack_trace: str) -> str:
+        """
+        Sanitize stack trace information
+        
+        In production mode, removes internal file paths and limits detail.
+        """
+        if not self.production_mode:
+            # In development, show full stack trace but sanitize sensitive data
+            return self.sanitize_message(stack_trace)
+        
+        # In production, provide minimal stack trace
+        lines = stack_trace.split('\n')
+        sanitized_lines = []
+        
+        for line in lines:
+            # Keep error messages but sanitize them
+            if 'Error:' in line or 'Exception:' in line:
+                sanitized_lines.append(self.sanitize_message(line))
+            # Remove file system paths
+            elif not line.strip().startswith('File '):
+                sanitized_lines.append(line)
+        
+        return '\n'.join(sanitized_lines)
+    
+    def sanitize_environment(self, env_vars: Dict[str, str]) -> Dict[str, str]:
+        """
+        Sanitize environment variables
+        
+        Masks sensitive environment variables.
+        """
+        result = {}
+        for key, value in env_vars.items():
+            # Check if it's a sensitive environment variable
+            key_upper = key.upper()
+            is_sensitive = any(
+                sensitive in key_upper 
+                for sensitive in self.SENSITIVE_ENV_VARS
+            )
+            
+            if is_sensitive:
+                result[key] = '***'
+            else:
+                result[key] = value
+        
+        return result
+    
+    def _sanitize_file_paths(self, text: str) -> str:
+        """
+        Remove or generalize file paths in production mode
+        
+        Converts absolute paths to relative or generic paths.
+        """
+        # Replace home directory paths
+        home = os.path.expanduser('~')
+        text = text.replace(home, '~')
+        
+        # Replace absolute paths with relative
+        import re
+        text = re.sub(r'/[a-zA-Z0-9_\-/]+/([a-zA-Z0-9_\-\.]+\.zx)', r'./\1', text)
+        
+        return text
+    
+    def should_show_debug_info(self) -> bool:
+        """
+        Check if debug information should be shown
+        
+        Returns False in production mode.
+        """
+        return not self.production_mode
+
+
+# Global sanitizer instance
+_sanitizer = DebugSanitizer()
+
+
+def get_sanitizer() -> DebugSanitizer:
+    """Get the global debug sanitizer instance"""
+    return _sanitizer
+
+
+def set_production_mode(enabled: bool):
+    """Set production mode globally"""
+    global _sanitizer
+    _sanitizer = DebugSanitizer(production_mode=enabled)
+
+
+def sanitize_debug_output(message: str) -> str:
+    """Quick function to sanitize debug output"""
+    return _sanitizer.sanitize_message(message)
+
+
+def sanitize_error_data(data: Any) -> Any:
+    """Quick function to sanitize error data"""
+    if isinstance(data, dict):
+        return _sanitizer.sanitize_dict(data)
+    elif isinstance(data, list):
+        return _sanitizer.sanitize_list(data)
+    elif isinstance(data, str):
+        return _sanitizer.sanitize_message(data)
+    return data

package/src/zexus/error_reporter.py

@@ -3,6 +3,8 @@ Zexus Error Reporting System
 
 Provides clear, beginner-friendly error messages that distinguish between
 user code errors and interpreter bugs.
+
+Security Fix #10: Debug info sanitization to prevent sensitive data leakage.
 """
 
 import sys
@@ -10,6 +12,14 @@ from typing import Optional, List, Dict, Any
 from enum import Enum
 
 
+# Import debug sanitizer for Security Fix #10
+try:
+    from .debug_sanitizer import get_sanitizer
+    _SANITIZER_AVAILABLE = True
+except ImportError:
+    _SANITIZER_AVAILABLE = False
+
+
 class ErrorCategory(Enum):
     """Categories of errors in Zexus"""
     USER_CODE = "user_code"  # Error in user's Zexus code
@@ -106,12 +116,22 @@ class ZexusError(Exception):
             parts.append("")
         
         # Error message
-        parts.append(f"  {self.message}")
+        message = self.message
+        # Security Fix #10: Sanitize error messages
+        if _SANITIZER_AVAILABLE:
+            sanitizer = get_sanitizer()
+            message = sanitizer.sanitize_message(message)
+        
+        parts.append(f"  {message}")
         
         # Suggestion
         if self.suggestion:
+            suggestion = self.suggestion
+            # Sanitize suggestions too
+            if _SANITIZER_AVAILABLE:
+                suggestion = get_sanitizer().sanitize_message(suggestion)
             parts.append("")
-            parts.append(f"  {YELLOW}💡 Suggestion:{RESET} {self.suggestion}")
+            parts.append(f"  {YELLOW}💡 Suggestion:{RESET} {suggestion}")
         
         # Internal error note
         if self.category == ErrorCategory.INTERPRETER:

package/src/zexus/evaluator/core.py

@@ -8,6 +8,7 @@ from .expressions import ExpressionEvaluatorMixin
 from .statements import StatementEvaluatorMixin
 from .functions import FunctionEvaluatorMixin
 from .integration import EvaluationContext, get_integration
+from .resource_limiter import ResourceLimiter, ResourceError, TimeoutError
 
 # Import VM and bytecode compiler
 try:
@@ -22,7 +23,7 @@ except ImportError as e:
     print(f"⚠️  VM not available in evaluator: {e}")
 
 class Evaluator(ExpressionEvaluatorMixin, StatementEvaluatorMixin, FunctionEvaluatorMixin):
-    def __init__(self, trusted: bool = False, use_vm: bool = True):
+    def __init__(self, trusted: bool = False, use_vm: bool = True, resource_limiter=None):
         # Initialize mixins (FunctionEvaluatorMixin sets up builtins)
         FunctionEvaluatorMixin.__init__(self)
         
@@ -35,6 +36,9 @@ class Evaluator(ExpressionEvaluatorMixin, StatementEvaluatorMixin, FunctionEvalu
         else:
             self.integration_context.setup_for_untrusted_code()
         
+        # Resource limiting (Security Fix #7)
+        self.resource_limiter = resource_limiter or ResourceLimiter()
+        
         # VM integration
         self.use_vm = use_vm and VM_AVAILABLE
         self.vm_instance = None
@@ -409,7 +413,8 @@ class Evaluator(ExpressionEvaluatorMixin, StatementEvaluatorMixin, FunctionEvalu
                 value = value.replace('\\\\', '\\')
                 value = value.replace('\\"', '"')
                 value = value.replace("\\'", "'")
-                return String(value)
+                # String literals are trusted (not from external input)
+                return String(value, is_trusted=True)
             
             elif isinstance(node, zexus_ast.Boolean):
                 debug_log("  Boolean node", f"value: {node.value}")
@@ -512,30 +517,21 @@ class Evaluator(ExpressionEvaluatorMixin, StatementEvaluatorMixin, FunctionEvalu
                 if is_error(obj): 
                     return obj
                 
-                # Safely extract property name - property can be Identifier, IntegerLiteral, or other expression
-                # IMPORTANT: For Identifier nodes in index expressions (arr[i]), we need to evaluate them first!
-                if isinstance(node.property, zexus_ast.Identifier):
-                    # This could be either a property name (obj.prop) or an index variable (arr[i])
-                    # We need to check if it's being used as an index (numeric) or property (string)
-                    # First try to evaluate it as an identifier (variable lookup)
-                    prop_result = self.eval_identifier(node.property, env)
-                    if not is_error(prop_result) and not isinstance(prop_result, type(NULL)):
-                        # Successfully found a variable, use its value as the property/index
-                        property_name = prop_result.value if hasattr(prop_result, 'value') else str(prop_result)
-                    else:
-                        # Not found as variable, treat as literal property name (for obj.prop syntax)
-                        property_name = node.property.value
-                elif isinstance(node.property, zexus_ast.IntegerLiteral):
-                    # Direct integer index like arr[0]
-                    property_name = node.property.value
-                elif isinstance(node.property, zexus_ast.PropertyAccessExpression):
-                    # Nested property access - evaluate it
+                # Determine property name based on whether it's computed (obj[expr]) or literal (obj.prop)
+                if hasattr(node, 'computed') and node.computed:
+                    # Computed property (obj[expr]) - always evaluate the expression
                     prop_result = self.eval_node(node.property, env, stack_trace)
                     if is_error(prop_result):
                         return prop_result
                     property_name = prop_result.value if hasattr(prop_result, 'value') else str(prop_result)
+                elif isinstance(node.property, zexus_ast.Identifier):
+                    # Literal property (obj.prop) - use the identifier name directly
+                    property_name = node.property.value
+                elif isinstance(node.property, zexus_ast.IntegerLiteral):
+                    # Direct integer index like arr[0] (for backwards compatibility)
+                    property_name = node.property.value
                 else:
-                    # Evaluate the property expression to get the key
+                    # Fallback: evaluate the property expression
                     prop_result = self.eval_node(node.property, env, stack_trace)
                     if is_error(prop_result):
                         return prop_result

package/src/zexus/evaluator/expressions.py

@@ -108,19 +108,38 @@ class ExpressionEvaluatorMixin:
         left_val = left.value
         right_val = right.value
         
-        if operator == "+": 
-            return Integer(left_val + right_val)
-        elif operator == "-": 
-            return Integer(left_val - right_val)
-        elif operator == "*": 
-            return Integer(left_val * right_val)
+        # SECURITY FIX #6: Integer overflow protection
+        # Python integers have arbitrary precision, but we enforce safe ranges
+        # to prevent resource exhaustion and match real-world integer behavior
+        MAX_SAFE_INT = 2**63 - 1  # 64-bit signed integer max
+        MIN_SAFE_INT = -(2**63)   # 64-bit signed integer min
+        
+        def check_overflow(result, operation):
+            """Check if integer operation resulted in overflow"""
+            if result > MAX_SAFE_INT or result < MIN_SAFE_INT:
+                return EvaluationError(
+                    f"Integer overflow in {operation}",
+                    suggestion=f"Result {result} exceeds safe integer range [{MIN_SAFE_INT}, {MAX_SAFE_INT}]. Use require() to validate inputs or break calculation into smaller parts."
+                )
+            return Integer(result)
+        
+        if operator == "+":
+            result = left_val + right_val
+            return check_overflow(result, "addition")
+        elif operator == "-":
+            result = left_val - right_val
+            return check_overflow(result, "subtraction")
+        elif operator == "*":
+            result = left_val * right_val
+            return check_overflow(result, "multiplication")
         elif operator == "/":
             if right_val == 0: 
                 return EvaluationError(
                     "Division by zero",
                     suggestion="Check your divisor value. Consider adding a condition: if (divisor != 0) { ... }"
                 )
-            return Integer(left_val // right_val)
+            result = left_val // right_val
+            return check_overflow(result, "division")
         elif operator == "%":
             if right_val == 0: 
                 return EvaluationError(
@@ -173,8 +192,29 @@ class ExpressionEvaluatorMixin:
         return EvaluationError(f"Unknown float operator: {operator}")
     
     def eval_string_infix(self, operator, left, right):
-        if operator == "+": 
-            return String(left.value + right.value)
+        if operator == "+":
+            # SECURITY ENFORCEMENT: Check sanitization before concatenation
+            from ..security_enforcement import check_string_concatenation
+            check_string_concatenation(left, right)
+            
+            # Propagate sanitization status to result
+            result = String(left.value + right.value)
+            
+            # Result is trusted only if both inputs are trusted
+            result.is_trusted = left.is_trusted and right.is_trusted
+            
+            # Propagate sanitization context intelligently:
+            # - If both have same sanitization, inherit it
+            # - If one is trusted (literal) and other is sanitized, inherit the sanitization
+            # - Otherwise, no sanitization (both must be sanitized or one trusted + one sanitized)
+            if left.sanitized_for == right.sanitized_for and left.sanitized_for is not None:
+                result.sanitized_for = left.sanitized_for
+            elif left.is_trusted and right.sanitized_for is not None:
+                result.sanitized_for = right.sanitized_for
+            elif right.is_trusted and left.sanitized_for is not None:
+                result.sanitized_for = left.sanitized_for
+            
+            return result
         elif operator == "==": 
             return TRUE if left.value == right.value else FALSE
         elif operator == "!=": 
@@ -277,46 +317,67 @@ class ExpressionEvaluatorMixin:
             else:
                 return EvaluationError(f"Unsupported operation: {left.type()} {operator} DATETIME")
         
-        # Mixed String Concatenation
+        # SECURITY FIX #8: Type Safety - No Implicit Coercion
+        # Addition operator: String+String OR Number+Number only
         elif operator == "+":
-            if isinstance(left, String):
-                right_str = right.inspect() if not isinstance(right, String) else right.value
-                return String(left.value + str(right_str))
-            elif isinstance(right, String):
-                left_str = left.inspect() if not isinstance(left, String) else left.value
-                return String(str(left_str) + right.value)
-            # Mixed Numeric
+            # String concatenation requires both operands to be strings
+            if isinstance(left, String) or isinstance(right, String):
+                # If either is a string, both must be strings
+                if not (isinstance(left, String) and isinstance(right, String)):
+                    left_type = "STRING" if isinstance(left, String) else type(left).__name__.upper()
+                    right_type = "STRING" if isinstance(right, String) else type(right).__name__.upper()
+                    
+                    return EvaluationError(
+                        f"Type mismatch: cannot add {left_type} and {right_type}\n"
+                        f"Use explicit conversion: string(value) to convert to string before concatenation\n"
+                        f"Example: string({left.value if hasattr(left, 'value') else left}) + string({right.value if hasattr(right, 'value') else right})"
+                    )
+            
+            # Numeric addition: Integer + Integer OR Float + Float OR Integer + Float
             elif isinstance(left, (Integer, Float)) and isinstance(right, (Integer, Float)):
-                l_val = float(left.value)
-                r_val = float(right.value)
-                return Float(l_val + r_val)
+                # Mixed Integer/Float operations return Float
+                if isinstance(left, Float) or isinstance(right, Float):
+                    result = float(left.value) + float(right.value)
+                    return Float(result)
+                # Both integers handled by eval_integer_infix
+                else:
+                    return EvaluationError("Internal error: Integer + Integer should be handled by eval_integer_infix")
+            
+            # Invalid type combination
+            else:
+                left_type = type(left).__name__.replace("Obj", "").upper()
+                right_type = type(right).__name__.replace("Obj", "").upper()
+                return EvaluationError(
+                    f"Type error: cannot add {left_type} and {right_type}\n"
+                    f"Addition requires matching types: STRING + STRING or NUMBER + NUMBER"
+                )
         
-        # Mixed arithmetic operations (String coerced to number for *, -, /, %)
+        # SECURITY FIX #8: Strict Type Checking for Arithmetic
+        # All arithmetic operations require numeric types (Integer or Float)
         elif operator in ("*", "-", "/", "%"):
-            # Try to coerce strings to numbers for arithmetic
-            l_val = None
-            r_val = None
+            # Get type names for error messages
+            left_type = type(left).__name__.replace("Obj", "").upper()
+            right_type = type(right).__name__.replace("Obj", "").upper()
             
-            # Get left value
-            if isinstance(left, (Integer, Float)):
-                l_val = float(left.value)
-            elif isinstance(left, String):
-                try:
-                    l_val = float(left.value)
-                except ValueError:
-                    pass
+            # Only allow arithmetic between numbers (Integer or Float)
+            if not isinstance(left, (Integer, Float)):
+                return EvaluationError(
+                    f"Type error: {operator} requires numeric operands, got {left_type}\n"
+                    f"Use explicit conversion: int(value) or float(value)"
+                )
             
-            # Get right value
-            if isinstance(right, (Integer, Float)):
-                r_val = float(right.value)
-            elif isinstance(right, String):
-                try:
-                    r_val = float(right.value)
-                except ValueError:
-                    pass
+            if not isinstance(right, (Integer, Float)):
+                return EvaluationError(
+                    f"Type error: {operator} requires numeric operands, got {right_type}\n"
+                    f"Use explicit conversion: int(value) or float(value)"
+                )
             
-            # Perform operation if both values could be coerced
-            if l_val is not None and r_val is not None:
+            # Both are numbers - perform operation
+            # Mixed Integer/Float operations return Float
+            if isinstance(left, Float) or isinstance(right, Float):
+                l_val = float(left.value)
+                r_val = float(right.value)
+                
                 try:
                     if operator == "*":
                         result = l_val * r_val
@@ -332,13 +393,16 @@ class ExpressionEvaluatorMixin:
                         result = l_val % r_val
                     
                     # Return Integer if result is whole number, Float otherwise
-                    if result == int(result):
+                    if result == int(result) and operator != "/":  # Division always returns float
                         return Integer(int(result))
                     return Float(result)
                 except Exception as e:
                     return EvaluationError(f"Arithmetic error: {str(e)}")
+            else:
+                # Both integers - integer arithmetic (already handled by eval_integer_infix)
+                return EvaluationError(f"Internal error: Integer {operator} Integer should be handled by eval_integer_infix")
         
-        # Comparison with mixed numeric types
+        # Comparison with mixed numeric types (Integer/Float comparison allowed)
         elif operator in ("<", ">", "<=", ">="):
             if isinstance(left, (Integer, Float)) and isinstance(right, (Integer, Float)):
                 l_val = float(left.value)
@@ -348,19 +412,14 @@ class ExpressionEvaluatorMixin:
                 elif operator == "<=": return TRUE if l_val <= r_val else FALSE
                 elif operator == ">=": return TRUE if l_val >= r_val else FALSE
             
-            # Mixed String/Number comparison (Coerce to float)
-            elif (isinstance(left, (Integer, Float)) and isinstance(right, String)) or \
-                 (isinstance(left, String) and isinstance(right, (Integer, Float))):
-                try:
-                    l_val = float(left.value)
-                    r_val = float(right.value)
-                    if operator == "<": return TRUE if l_val < r_val else FALSE
-                    elif operator == ">": return TRUE if l_val > r_val else FALSE
-                    elif operator == "<=": return TRUE if l_val <= r_val else FALSE
-                    elif operator == ">=": return TRUE if l_val >= r_val else FALSE
-                except ValueError:
-                    # If conversion fails, return FALSE (NaN comparison behavior)
-                    return FALSE
+            # SECURITY FIX #8: No implicit coercion for comparisons
+            else:
+                left_type = type(left).__name__.replace("Obj", "").upper()
+                right_type = type(right).__name__.replace("Obj", "").upper()
+                return EvaluationError(
+                    f"Type error: cannot compare {left_type} {operator} {right_type}\n"
+                    f"Use explicit conversion if needed: int(value) or float(value)"
+                )
 
         return EvaluationError(f"Type mismatch: {left.type()} {operator} {right.type()}")