IncludeCPP 4.6.0__tar.gz → 4.6.4__tar.gz

{includecpp-4.6.0 → includecpp-4.6.4}/IncludeCPP.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: IncludeCPP
-Version: 4.6.0
+Version: 4.6.4
 Summary: Professional C++ Python bindings with type-generic templates, pystubs and native threading
 Home-page: https://github.com/liliassg/IncludeCPP
 Author: Lilias Hatterscheidt

{includecpp-4.6.0 → includecpp-4.6.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: IncludeCPP
-Version: 4.6.0
+Version: 4.6.4
 Summary: Professional C++ Python bindings with type-generic templates, pystubs and native threading
 Home-page: https://github.com/liliassg/IncludeCPP
 Author: Lilias Hatterscheidt

{includecpp-4.6.0 → includecpp-4.6.4}/includecpp/__init__.py

@@ -2,7 +2,7 @@ from .core.cpp_api import CppApi
 from .core import cssl_bridge as CSSL
 import warnings
 
-__version__ = "4.5.2"
+__version__ = "4.6.4"
 __all__ = ["CppApi", "CSSL"]
 
 # Module-level cache for C++ modules

{includecpp-4.6.0 → includecpp-4.6.4}/includecpp/core/cssl/cssl_builtins.py

@@ -1017,18 +1017,53 @@ class CSSLBuiltins:
 
     # ============= File I/O Functions =============
 
+    # v4.7.1: Path validation helper to prevent directory traversal attacks
+    def _validate_path(self, path: str, allow_write: bool = False) -> str:
+        """Validate file path for security.
+
+        v4.7.1: Prevents directory traversal attacks by checking for '..' sequences
+        and ensuring paths are within reasonable bounds.
+
+        Args:
+            path: The file path to validate
+            allow_write: If True, allows write operations
+
+        Returns:
+            The normalized absolute path
+
+        Raises:
+            CSSLBuiltinError: If path is invalid or attempts traversal
+        """
+        if not isinstance(path, str) or not path:
+            raise CSSLBuiltinError("Invalid path: path must be a non-empty string")
+
+        # Normalize the path
+        normalized = os.path.normpath(path)
+
+        # Check for directory traversal attempts
+        if '..' in normalized:
+            raise CSSLBuiltinError("Directory traversal not allowed in path")
+
+        return normalized
+
     def builtin_read(self, path: str, encoding: str = 'utf-8') -> str:
         """Read entire file content.
         Usage: read('/path/to/file.txt')
+        v4.7.1: Added path validation
         """
-        with open(path, 'r', encoding=encoding) as f:
+        validated_path = self._validate_path(path)
+        with open(validated_path, 'r', encoding=encoding) as f:
             return f.read()
 
     def builtin_readline(self, line: int, path: str, encoding: str = 'utf-8') -> str:
         """Read specific line from file (1-indexed).
         Usage: readline(5, '/path/to/file.txt')  -> returns line 5
+        v4.7.1: Added path validation and line number validation
         """
-        with open(path, 'r', encoding=encoding) as f:
+        if not isinstance(line, int) or line < 1:
+            raise CSSLBuiltinError("Line number must be a positive integer")
+        validated_path = self._validate_path(path)
+        with open(validated_path, 'r', encoding=encoding) as f:
             for i, file_line in enumerate(f, 1):
                 if i == line:
                     return file_line.rstrip('\n\r')
@@ -1037,18 +1072,25 @@ class CSSLBuiltins:
     def builtin_write(self, path: str, content: str, encoding: str = 'utf-8') -> int:
         """Write content to file, returns chars written.
         Usage: write('/path/to/file.txt', 'Hello World')
+        v4.7.1: Added path validation
         """
-        with open(path, 'w', encoding=encoding) as f:
-            return f.write(content)
+        validated_path = self._validate_path(path, allow_write=True)
+        with open(validated_path, 'w', encoding=encoding) as f:
+            return f.write(str(content) if content is not None else '')
 
     def builtin_writeline(self, line: int, content: str, path: str, encoding: str = 'utf-8') -> bool:
         """Write/replace specific line in file (1-indexed).
         Usage: writeline(5, 'New content', '/path/to/file.txt')
+        v4.7.1: Added path and line number validation
         """
+        if not isinstance(line, int) or line < 1:
+            raise CSSLBuiltinError("Line number must be a positive integer")
+        validated_path = self._validate_path(path, allow_write=True)
+
         # Read all lines
         lines = []
-        if os.path.exists(path):
-            with open(path, 'r', encoding=encoding) as f:
+        if os.path.exists(validated_path):
+            with open(validated_path, 'r', encoding=encoding) as f:
                 lines = f.readlines()
 
         # Ensure we have enough lines
@@ -1056,67 +1098,81 @@ class CSSLBuiltins:
             lines.append('\n')
 
         # Replace the specific line (1-indexed)
-        if not content.endswith('\n'):
-            content = content + '\n'
-        lines[line - 1] = content
+        content_str = str(content) if content is not None else ''
+        if not content_str.endswith('\n'):
+            content_str = content_str + '\n'
+        lines[line - 1] = content_str
 
         # Write back
-        with open(path, 'w', encoding=encoding) as f:
+        with open(validated_path, 'w', encoding=encoding) as f:
             f.writelines(lines)
         return True
 
     def builtin_readfile(self, path: str, encoding: str = 'utf-8') -> str:
-        """Read entire file content"""
-        with open(path, 'r', encoding=encoding) as f:
+        """Read entire file content. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path)
+        with open(validated_path, 'r', encoding=encoding) as f:
             return f.read()
 
     def builtin_writefile(self, path: str, content: str, encoding: str = 'utf-8') -> int:
-        """Write content to file, returns bytes written"""
-        with open(path, 'w', encoding=encoding) as f:
-            return f.write(content)
+        """Write content to file, returns bytes written. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path, allow_write=True)
+        with open(validated_path, 'w', encoding=encoding) as f:
+            return f.write(str(content) if content is not None else '')
 
     def builtin_appendfile(self, path: str, content: str, encoding: str = 'utf-8') -> int:
-        """Append content to file, returns bytes written"""
-        with open(path, 'a', encoding=encoding) as f:
-            return f.write(content)
+        """Append content to file, returns bytes written. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path, allow_write=True)
+        with open(validated_path, 'a', encoding=encoding) as f:
+            return f.write(str(content) if content is not None else '')
 
     def builtin_readlines(self, path: str, encoding: str = 'utf-8') -> list:
-        """Read file lines into list"""
-        with open(path, 'r', encoding=encoding) as f:
+        """Read file lines into list. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path)
+        with open(validated_path, 'r', encoding=encoding) as f:
             return f.readlines()
 
     def builtin_listdir(self, path: str = '.') -> list:
-        """List directory contents"""
-        return os.listdir(path)
+        """List directory contents. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path) if path != '.' else '.'
+        return os.listdir(validated_path)
 
     def builtin_makedirs(self, path: str, exist_ok: bool = True) -> bool:
-        """Create directories recursively"""
-        os.makedirs(path, exist_ok=exist_ok)
+        """Create directories recursively. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path, allow_write=True)
+        os.makedirs(validated_path, exist_ok=exist_ok)
         return True
 
     def builtin_removefile(self, path: str) -> bool:
-        """Remove a file"""
-        os.remove(path)
+        """Remove a file. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path, allow_write=True)
+        os.remove(validated_path)
         return True
 
     def builtin_removedir(self, path: str) -> bool:
-        """Remove an empty directory"""
-        os.rmdir(path)
+        """Remove an empty directory. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path, allow_write=True)
+        os.rmdir(validated_path)
         return True
 
     def builtin_copyfile(self, src: str, dst: str) -> str:
-        """Copy a file, returns destination path"""
+        """Copy a file, returns destination path. v4.7.1: Added path validation"""
         import shutil
-        return shutil.copy2(src, dst)
+        validated_src = self._validate_path(src)
+        validated_dst = self._validate_path(dst, allow_write=True)
+        return shutil.copy2(validated_src, validated_dst)
 
     def builtin_movefile(self, src: str, dst: str) -> str:
-        """Move a file, returns destination path"""
+        """Move a file, returns destination path. v4.7.1: Added path validation"""
         import shutil
-        return shutil.move(src, dst)
+        validated_src = self._validate_path(src, allow_write=True)
+        validated_dst = self._validate_path(dst, allow_write=True)
+        return shutil.move(validated_src, validated_dst)
 
     def builtin_filesize(self, path: str) -> int:
-        """Get file size in bytes"""
-        return os.path.getsize(path)
+        """Get file size in bytes. v4.7.1: Added path validation"""
+        validated_path = self._validate_path(path)
+        return os.path.getsize(validated_path)
 
     # ============= JSON Functions =============
 
@@ -1558,26 +1614,57 @@ class CSSLBuiltins:
         """Delay execution by milliseconds"""
         time.sleep(ms / 1000.0)
 
+    # v4.7.1: Safe modules whitelist for pyimport
+    SAFE_MODULES = {
+        'math', 'json', 'datetime', 'random', 're', 'collections', 'itertools',
+        'functools', 'operator', 'string', 'textwrap', 'unicodedata', 'difflib',
+        'time', 'calendar', 'decimal', 'fractions', 'statistics', 'copy',
+        'pprint', 'enum', 'dataclasses', 'typing', 'abc', 'contextlib',
+        'base64', 'binascii', 'hashlib', 'hmac', 'secrets',
+        'html', 'urllib.parse', 'uuid', 'pathlib',
+    }
+
     def builtin_pyimport(self, module_name: str) -> Any:
         """
         Import a Python module for use in CSSL.
 
+        v4.7.1: Restricted to safe modules only for security.
         v4.1.1: Fixed to use importlib.import_module for proper nested module support.
 
+        Safe modules: math, json, datetime, random, re, collections, itertools,
+                      functools, operator, string, time, calendar, decimal, etc.
+
         Usage:
-            module = pyimport("plugins.app")
-            result = module.my_function()
+            @math = pyimport("math");
+            result = math.sqrt(16);
 
-            os = pyimport("os")
-            path = os.path.join("a", "b")
+            @json = pyimport("json");
+            data = json.loads('{"key": "value"}');
         """
         import importlib
+        # Check if module is in safe list
+        base_module = module_name.split('.')[0]
+        if base_module not in self.SAFE_MODULES and module_name not in self.SAFE_MODULES:
+            raise RuntimeError(
+                f"Module '{module_name}' is not allowed. "
+                f"Safe modules: {', '.join(sorted(self.SAFE_MODULES))}"
+            )
         return importlib.import_module(module_name)
 
     # ============= Extended String Functions =============
 
     def builtin_sprintf(self, fmt: str, *args) -> str:
-        """C-style format string"""
+        """C-style format string with validation.
+
+        v4.7.1: Added format specifier validation for security.
+        """
+        import re
+        # Count format specifiers (excluding %%)
+        specifiers = re.findall(r'%(?!%)[#0\- +]*\d*\.?\d*[hlL]?[diouxXeEfFgGcrsab]', fmt)
+        if len(specifiers) != len(args):
+            raise ValueError(
+                f"Format string has {len(specifiers)} specifiers but {len(args)} arguments provided"
+            )
         return fmt % args
 
     def builtin_chars(self, s: str) -> list:
@@ -1849,27 +1936,60 @@ class CSSLBuiltins:
 
     def builtin_initsh(self, path: str, *args) -> int:
         """
-        Execute a shell script
-        Usage: initsh('/path/to/script.sh')
+        Execute a shell script from the 'scripts' directory only.
+
+        v4.7.1: Restricted to 'scripts/' directory for security.
+
+        Usage: initsh('myscript.sh')  // Runs scripts/myscript.sh
         """
         import subprocess
 
-        if not os.path.isabs(path) and self.runtime and self.runtime.service_engine:
-            path = os.path.join(self.runtime.service_engine.KernelClient.RootDirectory, path)
+        # v4.7.1: Security - prevent directory traversal
+        if '..' in path or path.startswith('/') or path.startswith('\\'):
+            raise CSSLBuiltinError(
+                f"Invalid script path: '{path}'. "
+                "Scripts must be relative paths without '..' and must be in 'scripts/' directory."
+            )
 
-        if not os.path.exists(path):
-            raise CSSLBuiltinError(f"Shell script not found: {path}")
+        # Determine base directory
+        if self.runtime and self.runtime.service_engine:
+            base_dir = self.runtime.service_engine.KernelClient.RootDirectory
+        else:
+            base_dir = os.getcwd()
+
+        # Force scripts to be in 'scripts' subdirectory
+        scripts_dir = os.path.join(base_dir, 'scripts')
+        full_path = os.path.normpath(os.path.join(scripts_dir, path))
+
+        # Verify path is within scripts directory (prevent traversal)
+        if not full_path.startswith(os.path.normpath(scripts_dir)):
+            raise CSSLBuiltinError(
+                f"Security: Script path '{path}' escapes the scripts directory."
+            )
+
+        if not os.path.exists(full_path):
+            raise CSSLBuiltinError(f"Shell script not found: {full_path}")
+
+        # Validate file extension
+        valid_extensions = {'.sh', '.bat', '.cmd', '.ps1'}
+        _, ext = os.path.splitext(full_path)
+        if ext.lower() not in valid_extensions:
+            raise CSSLBuiltinError(
+                f"Invalid script type: '{ext}'. Allowed: {', '.join(valid_extensions)}"
+            )
 
         try:
             # Determine shell based on platform
             import platform
             if platform.system() == 'Windows':
-                # Use cmd or powershell on Windows
-                cmd = ['cmd', '/c', path] + list(args)
+                if ext.lower() == '.ps1':
+                    cmd = ['powershell', '-ExecutionPolicy', 'Bypass', '-File', full_path] + list(args)
+                else:
+                    cmd = ['cmd', '/c', full_path] + list(args)
             else:
-                cmd = ['bash', path] + list(args)
+                cmd = ['bash', full_path] + list(args)
 
-            result = subprocess.run(cmd, capture_output=True, text=True)
+            result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
 
             if result.stdout:
                 print(result.stdout)
@@ -1878,6 +1998,8 @@ class CSSLBuiltins:
 
             return result.returncode
 
+        except subprocess.TimeoutExpired:
+            raise CSSLBuiltinError(f"Script execution timeout (60s): {path}")
         except Exception as e:
             print(f"Shell execution error [{path}]: {e}")
             raise CSSLBuiltinError(f"initsh failed: {e}")