jentic-openapi-common 1.0.0a30__py3-none-any.whl

jentic/apitools/openapi/common/path_security.py

@@ -0,0 +1,176 @@
+"""Path security utilities for safe filesystem access."""
+
+from pathlib import Path
+from typing import Literal, overload
+
+
+__all__ = [
+    "PathSecurityError",
+    "PathTraversalError",
+    "InvalidExtensionError",
+    "SymlinkSecurityError",
+    "validate_path",
+]
+
+
+class PathSecurityError(Exception):
+    """Base exception for path security violations."""
+
+    pass
+
+
+class PathTraversalError(PathSecurityError):
+    """Raised when a path attempts to escape the allowed base directory."""
+
+    pass
+
+
+class InvalidExtensionError(PathSecurityError):
+    """Raised when a file has a disallowed extension."""
+
+    pass
+
+
+class SymlinkSecurityError(PathSecurityError):
+    """Raised when a path contains symlinks when not allowed or symlink escapes boundary."""
+
+    pass
+
+
+@overload
+def validate_path(
+    path: str | Path,
+    *,
+    allowed_base: str | Path | None = None,
+    allowed_extensions: tuple[str, ...] | None = None,
+    resolve_symlinks: bool = True,
+    as_string: Literal[True] = True,
+) -> str: ...
+
+
+@overload
+def validate_path(
+    path: str | Path,
+    *,
+    allowed_base: str | Path | None = None,
+    allowed_extensions: tuple[str, ...] | None = None,
+    resolve_symlinks: bool = True,
+    as_string: Literal[False],
+) -> Path: ...
+
+
+def validate_path(
+    path: str | Path,
+    *,
+    allowed_base: str | Path | None = None,
+    allowed_extensions: tuple[str, ...] | None = None,
+    resolve_symlinks: bool = True,
+    as_string: bool = True,
+) -> str | Path:
+    """
+    Validate and canonicalize a filesystem path with security checks.
+
+    This function provides defense-in-depth security for filesystem access by:
+    1. Converting to absolute path and resolving `.` and `..` components
+    2. Optionally resolving symlinks and checking they don't escape boundaries
+    3. Enforcing boundary restrictions (path must be within allowed_base)
+    4. Validating file extensions against a whitelist
+
+    Args:
+        path: The filesystem path to validate (string or Path object)
+        allowed_base: Optional base directory that path must be within.
+            If None, no boundary checking is performed.
+        allowed_extensions: Optional tuple of allowed file extensions (e.g., ('.yaml', '.json')).
+            Extensions are case-sensitive. If None, no extension checking is performed.
+        resolve_symlinks: If True (default), resolve symlinks using Path.resolve().
+            If False, use Path.absolute() to preserve symlinks.
+        as_string: If True (default), return str. If False, return Path object.
+
+    Returns:
+        Canonicalized path (str by default, or Path if as_string=False) that has passed all security checks.
+
+    Raises:
+        PathTraversalError: If the path attempts to escape the allowed_base directory
+        InvalidExtensionError: If the file extension is not in allowed_extensions
+        SymlinkSecurityError: If symlink resolution reveals a security issue
+
+    Examples:
+        >>> # Basic validation with boundary enforcement (returns str by default)
+        >>> validate_path("/var/app/data/file.yaml", allowed_base="/var/app")
+        '/var/app/data/file.yaml'
+
+        >>> # Return Path object when needed
+        >>> validate_path("/var/app/data/file.yaml", allowed_base="/var/app", as_string=False)
+        Path('/var/app/data/file.yaml')
+
+        >>> # Prevent directory traversal
+        >>> validate_path("/var/app/../etc/passwd", allowed_base="/var/app")
+        PathTraversalError: Path '/etc/passwd' is outside allowed base '/var/app'
+
+        >>> # Extension validation
+        >>> validate_path("file.txt", allowed_extensions=('.yaml', '.json'))
+        InvalidExtensionError: Path 'file.txt' has disallowed extension '.txt'
+    """
+    if not path:
+        raise PathSecurityError("Path cannot be empty or None")
+
+    # Convert to Path object
+    path_obj = Path(path)
+
+    # Canonicalize path (resolve . and ..)
+    if resolve_symlinks:
+        # Fully resolve including symlinks
+        try:
+            canonical_path = path_obj.resolve(strict=False)
+        except (OSError, RuntimeError) as e:
+            raise PathSecurityError(f"Failed to resolve path '{path}': {e}") from e
+    else:
+        # Convert to absolute but preserve symlinks
+        canonical_path = path_obj.absolute()
+
+    # Boundary enforcement
+    if allowed_base is not None:
+        allowed_base_path = Path(allowed_base)
+        if resolve_symlinks:
+            try:
+                canonical_base = allowed_base_path.resolve(strict=False)
+            except (OSError, RuntimeError) as e:
+                raise PathSecurityError(
+                    f"Failed to resolve allowed_base '{allowed_base}': {e}"
+                ) from e
+        else:
+            canonical_base = allowed_base_path.absolute()
+
+        # Check if canonical_path is within canonical_base
+        try:
+            canonical_path.relative_to(canonical_base)
+        except ValueError:
+            raise PathTraversalError(
+                f"Path '{canonical_path}' is outside allowed base '{canonical_base}'"
+            ) from None
+
+        # Additional check: if resolve_symlinks is True, verify that no symlink in the path
+        # escapes the boundary. This is already handled by resolve() above, but we add
+        # an explicit check for symlinks that might have been followed
+        if resolve_symlinks and path_obj.is_symlink():
+            # If the original path was a symlink, verify the resolved target is still in bounds
+            try:
+                canonical_path.relative_to(canonical_base)
+            except ValueError:
+                raise SymlinkSecurityError(
+                    f"Symlink '{path}' resolves to '{canonical_path}' which is outside allowed base '{canonical_base}'"
+                ) from None
+
+    # Extension validation
+    if allowed_extensions is not None:
+        if not canonical_path.suffix:
+            raise InvalidExtensionError(
+                f"Path '{canonical_path}' has no file extension. Allowed extensions: {allowed_extensions}"
+            )
+        if canonical_path.suffix not in allowed_extensions:
+            raise InvalidExtensionError(
+                f"Path '{canonical_path}' has disallowed extension '{canonical_path.suffix}'. "
+                f"Allowed extensions: {allowed_extensions}"
+            )
+
+    return str(canonical_path) if as_string else canonical_path

jentic/apitools/openapi/common/subproc.py

@@ -0,0 +1,145 @@
+"""Subprocess execution utilities for OpenAPI tools."""
+
+import subprocess
+from collections.abc import Sequence
+from dataclasses import dataclass
+from typing import IO, Any
+
+
+__all__ = ["run_subprocess", "SubprocessExecutionResult", "SubprocessExecutionError"]
+
+
+@dataclass
+class SubprocessExecutionResult:
+    """Returned by a subprocess."""
+
+    returncode: int
+    stdout: str = ""
+    stderr: str = ""
+
+    def __init__(
+        self,
+        returncode: int,
+        stdout: str | None = None,
+        stderr: str | None = None,
+    ):
+        self.returncode = returncode
+        self.stdout = stdout if isinstance(stdout, str) else ""
+        self.stderr = stderr if isinstance(stderr, str) else ""
+
+
+class SubprocessExecutionError(RuntimeError):
+    """Raised when a subprocess exits with non-zero return code."""
+
+    def __init__(
+        self,
+        cmd: Sequence[str],
+        returncode: int,
+        stdout: str | None = None,
+        stderr: str | None = None,
+    ):
+        self.cmd = list(cmd)
+        self.returncode = returncode
+        self.stdout = stdout if isinstance(stdout, str) else ""
+        self.stderr = stderr if isinstance(stderr, str) else ""
+        message = (
+            f"Command {self.cmd!r} failed with exit code {self.returncode}\n"
+            f"--- stdout ---\n{self.stdout}\n"
+            f"--- stderr ---\n{self.stderr}"
+        )
+        super().__init__(message)
+
+
+def run_subprocess(
+    cmd: Sequence[str],
+    *,
+    fail_on_error: bool = False,
+    timeout: float | None = None,
+    encoding: str = "utf-8",
+    errors: str = "strict",
+    cwd: str | None = None,
+    stdout: int | IO[Any] | None = None,
+    stderr: int | IO[Any] | None = None,
+) -> SubprocessExecutionResult:
+    """
+    Run a subprocess command and return (stdout, stderr) as text.
+    Raises SubprocessExecutionError if the command fails.
+
+    Parameters
+    ----------
+    cmd : sequence of str
+        The command and its arguments.
+    fail_on_error : bool
+        If True, raises SubprocessExecutionError for non-zero return codes.
+    timeout : float | None
+        Seconds before timing out.
+    encoding : str
+        Passed to subprocess.run so stdout/stderr are decoded as text.
+    errors : str
+        Error handler for text decoding.
+    cwd : str | None
+        Working directory for the subprocess.
+    stdout : int | IO[Any] | None
+        Optional stdout destination. Can be subprocess.PIPE (default), subprocess.DEVNULL,
+        an open file object, or None. When redirected to a file, result.stdout will be empty.
+    stderr : int | IO[Any] | None
+        Optional stderr destination. Can be subprocess.PIPE (default), subprocess.DEVNULL,
+        an open file object, or None. When redirected to a file, result.stderr will be empty.
+
+    Returns
+    -------
+    (stdout, stderr, returncode): SubprocessExecutionResult
+        Note: If stdout/stderr are redirected to a file, the corresponding result fields
+        will be empty strings.
+    """
+    try:
+        # If both stdout and stderr are None, use capture_output for simplicity
+        if stdout is None and stderr is None:
+            completed_process = subprocess.run(
+                cmd,
+                check=False,
+                capture_output=True,
+                text=True,
+                shell=False,
+                encoding=encoding,
+                errors=errors,
+                timeout=timeout,
+                cwd=cwd,
+            )
+        else:
+            # Use explicit stdout/stderr with defaults to PIPE if not specified
+            completed_process = subprocess.run(
+                cmd,
+                check=False,
+                stdout=stdout if stdout is not None else subprocess.PIPE,
+                stderr=stderr if stderr is not None else subprocess.PIPE,
+                text=True,
+                shell=False,
+                encoding=encoding,
+                errors=errors,
+                timeout=timeout,
+                cwd=cwd,
+            )
+    except subprocess.TimeoutExpired as e:
+        timeout_stdout = (
+            e.stdout.decode(encoding, errors) if isinstance(e.stdout, bytes) else e.stdout
+        )
+        timeout_stderr = (
+            e.stderr.decode(encoding, errors) if isinstance(e.stderr, bytes) else e.stderr
+        )
+        raise SubprocessExecutionError(cmd, -1, timeout_stdout, timeout_stderr) from e
+    except OSError as e:  # e.g., executable not found, permission denied
+        raise SubprocessExecutionError(cmd, -1, None, str(e)) from e
+
+    if completed_process.returncode != 0 and fail_on_error:
+        raise SubprocessExecutionError(
+            cmd,
+            completed_process.returncode,
+            completed_process.stdout,
+            completed_process.stderr,
+        )
+
+    # At this point CompletedProcess stdout/stderr are str due to text=True + encoding
+    return SubprocessExecutionResult(
+        completed_process.returncode, completed_process.stdout, completed_process.stderr
+    )

jentic/apitools/openapi/common/uri.py

@@ -0,0 +1,341 @@
+import os
+import re
+from pathlib import Path
+from urllib.parse import urljoin, urlparse, urlsplit, urlunsplit
+from urllib.request import url2pathname
+
+
+__all__ = [
+    "URIResolutionError",
+    "is_uri_like",
+    "is_http_https_url",
+    "is_file_uri",
+    "is_scheme_relative_uri",
+    "is_absolute_uri",
+    "is_fragment_only_uri",
+    "is_path",
+    "resolve_to_absolute",
+    "file_uri_to_path",
+]
+
+
+_WINDOWS_DRIVE_RE = re.compile(r"^[A-Za-z]:[\\/]")
+_WINDOWS_UNC_RE = re.compile(r"^(?:\\\\|//)[^\\/]+[\\/][^\\/]+")
+
+# Matches:
+# - http://... or https://...
+# - file://...
+# - POSIX absolute: /path or just "/"
+# - Windows UNC: \\server\share\...
+# - Windows root-relative: \path\to (current drive root)
+# - Windows drive-absolute: C:\path\to or C:/path/to
+# - Relative paths: ./path, ../path, .\path, ..\path, or plain relative paths
+_URI_LIKE_RE = re.compile(
+    r"""^(?:
+            https?://[^\r\n]+ |
+            file://[^\r\n]+   |
+            /[^\r\n]*         |
+            \\\\[^\r\n]+      |
+            \\[^\r\n]+        |
+            [A-Za-z]:\\[^\r\n]+ |
+            [A-Za-z]:/[^\r\n]+ |
+            \./[^\r\n]*       |
+            \.\\/[^\r\n]*     |
+            \.\.[/\\][^\r\n]* |
+            \.\.\\[^\r\n]*    |
+            [a-zA-Z_][a-zA-Z0-9_.-]*(?:[/\\][a-zA-Z0-9_.-]+)+ |
+            [a-zA-Z_][a-zA-Z0-9_.-]*\.[a-zA-Z0-9]+(?![}\])])
+        )$""",
+    re.VERBOSE,
+)
+
+
+class URIResolutionError(ValueError):
+    pass
+
+
+def is_uri_like(uri: str | None) -> bool:
+    r"""
+    Heuristic check: is `s` a URI-like reference or absolute/relative path?
+    - Accepts http(s)://, file://
+    - Accepts absolute POSIX (/...) and Windows (\\..., \..., C:\..., C:/...) paths
+    - Accepts relative paths (./..., ../..., .\..., ..\...)
+    - Must be a single line (no '\\n' or '\\r').
+    Leading/trailing whitespace is ignored.
+    """
+    if not uri:
+        return False
+    uri = uri.strip()
+    # Enforce single line
+    if "\n" in uri or "\r" in uri:
+        return False
+    return bool(_URI_LIKE_RE.match(uri))
+
+
+def is_path(s: str | None) -> bool:
+    """
+    Check if `s` is a filesystem path (not a URL or URI).
+
+    Returns True for:
+    - Absolute POSIX paths: /home/file.txt
+    - Absolute Windows paths: C:\\Windows\\file.txt, \\\\server\\share\\path
+    - Relative paths: ./config.yaml, ../parent/file.txt
+
+    Returns False for:
+    - HTTP(S) URLs: http://example.com
+    - File URIs: file:///home/file.txt
+    - Other URIs: mailto:test@example.com, data:text/plain, ftp://ftp.example.com
+    - Empty or None strings
+    """
+    if not s:
+        return False
+
+    s = s.strip()
+
+    # Must match the URI-like pattern first
+    if not is_uri_like(s):
+        return False
+
+    # Exclude HTTP(S) URLs
+    if is_http_https_url(s):
+        return False
+
+    # Exclude file:// URIs
+    if is_file_uri(s):
+        return False
+
+    # Exclude any other URI schemes (mailto:, data:, ftp:, etc.)
+    parsed = urlparse(s)
+    if parsed.scheme:  # Has a scheme
+        return False
+
+    # It's a path!
+    return True
+
+
+def is_http_https_url(url: str) -> bool:
+    p = urlparse(url)
+    return p.scheme in ("http", "https") and bool(p.netloc)
+
+
+def is_file_uri(uri: str) -> bool:
+    return urlparse(uri).scheme == "file"
+
+
+def is_scheme_relative_uri(uri: str) -> bool:
+    """
+    Check if `uri` is a scheme-relative URI (also called protocol-relative URI).
+
+    A scheme-relative URI starts with "//" followed by an authority component (netloc),
+    inheriting the scheme from the context (e.g., "//cdn.example.com/path").
+
+    This is defined in RFC 3986 section 4.2 as a network-path reference.
+    Per RFC 3986, a valid network-path reference must have an authority component.
+
+    Examples:
+        - "//cdn.example.com/x.yaml" -> True
+        - "//example.com/api" -> True
+        - "http://example.com" -> False (has scheme)
+        - "/path/to/file" -> False (single slash)
+        - "./relative" -> False (relative path)
+        - "//" -> False (no authority component)
+        - "///path" -> False (no authority component)
+
+    Args:
+        uri: The string to check
+
+    Returns:
+        True if the string is a valid scheme-relative URI with authority, False otherwise
+    """
+    if not uri.startswith("//"):
+        return False
+    p = urlparse(uri)
+    return bool(p.netloc)
+
+
+def is_absolute_uri(uri: str) -> bool:
+    """
+    Check if `uri` is an absolute URI according to RFC 3986.
+
+    An absolute URI is defined as having a scheme (e.g., "http:", "https:", "ftp:", "file:").
+
+    Note: Scheme-relative URIs (starting with "//") are NOT considered absolute URIs.
+    According to RFC 3986 section 4.2, scheme-relative URIs are classified as
+    "relative references" (specifically, "network-path references").
+    Use `is_scheme_relative_uri()` to check for those separately.
+
+    Examples:
+        - "http://example.com" -> True
+        - "https://example.com/path" -> True
+        - "ftp://ftp.example.com" -> True
+        - "file:///path/to/file" -> True
+        - "//cdn.example.com/x.yaml" -> False (scheme-relative, use is_scheme_relative_uri)
+        - "/path/to/file" -> False (absolute path, not URI)
+        - "./relative" -> False
+        - "#fragment" -> False
+
+    Args:
+        uri: The string to check
+
+    Returns:
+        True if the string is an absolute URI (has a scheme), False otherwise
+    """
+    p = urlparse(uri)
+    return bool(p.scheme)
+
+
+def is_fragment_only_uri(uri: str) -> bool:
+    """
+    Check if `uri` is a fragment-only reference.
+
+    A fragment-only reference consists solely of a fragment identifier (starts with "#").
+    These are used in JSON References and OpenAPI to refer to parts within the same document.
+
+    Note: This checks if the ENTIRE string is a fragment reference, not whether
+    a URI contains a fragment. For example, "http://example.com#section" would
+    return False because it's a full URI with a fragment, not fragment-only.
+
+    Examples:
+        - "#/definitions/User" -> True
+        - "#fragment" -> True
+        - "#" -> True (empty fragment identifier)
+        - "##" -> True (fragment identifier is "#")
+        - "http://example.com#section" -> False (full URI with fragment)
+        - "/path/to/file" -> False
+        - "./relative" -> False
+        - "" -> False
+
+    Args:
+        uri: The string to check
+
+    Returns:
+        True if the string is a fragment-only reference, False otherwise
+    """
+    return uri.startswith("#")
+
+
+def resolve_to_absolute(value: str, base_uri: str | None = None) -> str:
+    """
+    Resolve `value` to either:
+      - an absolute URL (with scheme), OR
+      - an absolute filesystem path (no scheme)
+
+    • If `base_uri` is None AND `value` has no scheme (i.e., relative URI or path),
+    return an **absolute filesystem path** resolved against CWD.
+
+    Other rules:
+      • Absolute http(s) URLs ⇒ return absolute URL.
+      • file:// URIs ⇒ return absolute filesystem path.
+      • If `base_uri` is an http(s) URL, relative inputs resolve to absolute URLs.
+      • If `base_uri` is a path or file://, relative inputs resolve to absolute paths.
+      • Mixing a path-like `value` with an http(s) `base_uri` raises (ambiguous).
+      • Scheme-relative (“//host/path”) without a URL base ⇒ raises.
+    """
+    _guard_single_line(value)
+
+    if is_http_https_url(value):
+        return _normalize_url(value)
+
+    if is_file_uri(value):
+        return file_uri_to_path(value)
+
+    if _looks_like_windows_path(value):
+        return _resolve_path_like(value, base_uri)
+
+    parsed = urlparse(value)
+    # Scheme-relative without URL base is ambiguous
+    if value.startswith("//"):
+        if base_uri and is_http_https_url(base_uri):
+            return _normalize_url(urljoin(base_uri, value))
+        raise URIResolutionError("Scheme-relative URLs require a URL base_uri.")
+
+    # Any other explicit scheme (mailto:, data:, ftp:, etc.) → accept as-is
+    if parsed.scheme:
+        if parsed.scheme in ("http", "https"):
+            if not parsed.netloc:
+                raise URIResolutionError(f"Malformed URL (missing host): {value!r}")
+            return _normalize_url(value)
+        if parsed.scheme == "file":
+            # handled above
+            raise AssertionError("unreachable")
+        return value  # leave non-file, non-http schemes untouched
+
+    # --- No scheme: relative URI or path ---
+    if base_uri:
+        if is_http_https_url(base_uri):
+            # Relative URI against URL base → absolute URL
+            return _normalize_url(urljoin(base_uri, value))
+        # base is file path or file:// → absolute path
+        return _resolve_path_like(value, base_uri)
+
+    # **Your rule**: no base + no scheme ⇒ absolute filesystem path
+    return _resolve_path_like(value, None)
+
+
+def file_uri_to_path(file_uri: str) -> str:
+    """
+    Convert a file:// URI to an absolute filesystem path.
+
+    Args:
+        file_uri: A file:// URI string (e.g., "file:///path/to/file" or "file://server/share/path")
+
+    Returns:
+        Absolute filesystem path as a string
+
+    Raises:
+        URIResolutionError: If the input is not a valid file:// URI
+
+    Examples:
+        >>> file_uri_to_path("file:///home/user/doc.yaml")
+        '/home/user/doc.yaml'
+        >>> file_uri_to_path("file://localhost/etc/config.yaml")
+        '/etc/config.yaml'
+    """
+    parsed_uri = urlparse(file_uri)
+    if parsed_uri.scheme != "file":
+        raise URIResolutionError(f"Not a file URI: {file_uri!r}")
+    if parsed_uri.netloc and parsed_uri.netloc not in ("", "localhost"):
+        # UNC: \\server\share\path
+        unc = f"//{parsed_uri.netloc}{parsed_uri.path}"
+        return str(Path(url2pathname(unc)).resolve())
+    path = url2pathname(parsed_uri.path)
+    return str(Path(path).resolve())
+
+
+def _guard_single_line(s: str) -> None:
+    if not isinstance(s, str) or ("\n" in s or "\r" in s):
+        raise URIResolutionError("Input must be a single-line string.")
+
+
+def _looks_like_windows_path(s: str) -> bool:
+    return bool(_WINDOWS_DRIVE_RE.match(s) or _WINDOWS_UNC_RE.match(s))
+
+
+def _normalize_url(s: str) -> str:
+    import posixpath
+
+    parts = urlsplit(s)
+    # Normalize the path component using posixpath (URLs always use forward slashes)
+    normalized_path = posixpath.normpath(parts.path) if parts.path else "/"
+    # Ensure root path is "/"
+    if normalized_path == ".":
+        normalized_path = "/"
+    return urlunsplit((parts.scheme, parts.netloc, normalized_path, parts.query, parts.fragment))
+
+
+def _resolve_path_like(value: str, base_uri: str | None) -> str:
+    value = os.path.expandvars(os.path.expanduser(value))
+
+    if base_uri:
+        if is_file_uri(base_uri):
+            base_path = Path(url2pathname(urlparse(base_uri).path))
+        elif is_http_https_url(base_uri):
+            # Don't silently combine a local path with a URL base
+            raise URIResolutionError("Cannot resolve a local path against an HTTP(S) base_uri.")
+        else:
+            base_path = Path(os.path.expandvars(os.path.expanduser(base_uri)))
+    else:
+        base_path = Path.cwd()
+
+    p = Path(value)
+    return str(p.resolve() if p.is_absolute() else (base_path / p).resolve())