logler 1.0.2__tar.gz → 1.0.7__tar.gz

{logler-1.0.2 → logler-1.0.7}/Cargo.lock

@@ -547,9 +547,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
 [[package]]
 name = "chrono"
-version = "0.4.42"
+version = "0.4.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "145052bdd345b87320e369255277e3fb5152762ad123a901ef5c262dd38fe8d2"
+checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118"
 dependencies = [
  "iana-time-zone",
  "js-sys",
@@ -1480,9 +1480,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.83"
+version = "0.3.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "464a3709c7f55f1f721e5389aa6ea4e3bc6aba669353300af094b29ffbdde1d8"
+checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -1640,7 +1640,7 @@ checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
 name = "logler-cli"
-version = "1.0.2"
+version = "1.0.6"
 dependencies = [
  "anyhow",
  "clap",
@@ -1655,7 +1655,7 @@ dependencies = [
 
 [[package]]
 name = "logler-core"
-version = "1.0.2"
+version = "1.0.6"
 dependencies = [
  "anyhow",
  "async-stream",
@@ -1680,7 +1680,7 @@ dependencies = [
 
 [[package]]
 name = "logler-py"
-version = "1.0.2"
+version = "1.0.6"
 dependencies = [
  "anyhow",
  "logler-core",
@@ -1692,7 +1692,7 @@ dependencies = [
 
 [[package]]
 name = "logler-server"
-version = "1.0.2"
+version = "1.0.6"
 dependencies = [
  "anyhow",
  "axum",
@@ -3244,9 +3244,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.106"
+version = "0.2.108"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d759f433fa64a2d763d1340820e46e111a7a5ab75f993d1852d70b03dbb80fd"
+checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -3257,11 +3257,12 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.56"
+version = "0.4.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "836d9622d604feee9e5de25ac10e3ea5f2d65b41eac0d9ce72eb5deae707ce7c"
+checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f"
 dependencies = [
  "cfg-if",
+ "futures-util",
  "js-sys",
  "once_cell",
  "wasm-bindgen",
@@ -3270,9 +3271,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.106"
+version = "0.2.108"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48cb0d2638f8baedbc542ed444afc0644a29166f1595371af4fecf8ce1e7eeb3"
+checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3280,9 +3281,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.106"
+version = "0.2.108"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cefb59d5cd5f92d9dcf80e4683949f15ca4b511f4ac0a6e14d4e1ac60c6ecd40"
+checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -3293,18 +3294,18 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.106"
+version = "0.2.108"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cbc538057e648b67f72a982e708d485b2efa771e1ac05fec311f9f63e5800db4"
+checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
 dependencies = [
  "unicode-ident",
 ]
 
 [[package]]
 name = "web-sys"
-version = "0.3.83"
+version = "0.3.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b32828d774c412041098d182a8b38b16ea816958e07cf40eec2bc080ae137ac"
+checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598"
 dependencies = [
  "js-sys",
  "wasm-bindgen",

{logler-1.0.2 → logler-1.0.7}/Cargo.toml

@@ -3,7 +3,7 @@ members = ["crates/logler-py"]
 resolver = "2"
 
 [workspace.package]
-version = "1.0.2"
+version = "1.0.6"
 edition = "2021"
 authors = ["Logler Contributors"]
 license = "MIT"

{logler-1.0.2 → logler-1.0.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: logler
-Version: 1.0.2
+Version: 1.0.7
 Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{logler-1.0.2 → logler-1.0.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "logler"
-version = "1.0.2"
+version = "1.0.7"
 description = "Beautiful local log viewer with thread tracking and real-time updates"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -69,7 +69,7 @@ logler = ["web/templates/**/*", "web/static/**/*"]
 manifest-path = "crates/logler-py/Cargo.toml"
 python-source = "src"
 python-packages = ["logler"]
-features = ["sql"]
+# features passed via CLI in CI (sql not supported on Windows)
 include = ["LICENSE", "README.md"]
 
 [tool.black]

{logler-1.0.2 → logler-1.0.7}/src/logler/__init__.py

@@ -2,7 +2,7 @@
 Logler - Beautiful local log viewer with thread tracking and real-time updates.
 """
 
-__version__ = "1.0.0"
+__version__ = "1.0.7"
 __author__ = "Logler Contributors"
 
 from .parser import LogParser, LogEntry

{logler-1.0.2 → logler-1.0.7}/src/logler/investigate.py

@@ -30,10 +30,13 @@ Example Usage:
 
 import json
 import re
+import warnings
 from typing import List, Optional, Dict, Any, Tuple
 from datetime import datetime
 from collections import defaultdict
 
+from .safe_regex import try_compile
+
 try:
     import logler_rs
 
@@ -48,10 +51,10 @@ except ImportError:
             RUST_AVAILABLE = True
         else:
             RUST_AVAILABLE = False
-            print("Warning: Rust backend not available. Using Python fallback.")
-    except Exception:
+            warnings.warn("Rust backend not available. Using Python fallback.", stacklevel=2)
+    except (ImportError, AttributeError, OSError):
         RUST_AVAILABLE = False
-        print("Warning: Rust backend not available. Using Python fallback.")
+        warnings.warn("Rust backend not available. Using Python fallback.", stacklevel=2)
 
 
 def _normalize_entry(entry: Dict[str, Any]) -> None:
@@ -97,9 +100,8 @@ def _apply_custom_regex_to_results(result: Dict[str, Any], pattern: Optional[str
     """Apply a user-provided regex to fill missing fields like timestamp/level."""
     if not pattern:
         return
-    try:
-        regex = re.compile(pattern)
-    except re.error:
+    regex = try_compile(pattern)
+    if regex is None:
         return
 
     for item in result.get("results", []) or []:
@@ -2198,7 +2200,7 @@ def cross_service_timeline(
                 e for e in all_entries if e["timestamp"] and start_dt <= e["timestamp"] <= end_dt
             ]
         except Exception as e:
-            print(f"Warning: Could not parse time window: {e}")
+            warnings.warn(f"Could not parse time window: {e}", stacklevel=2)
 
     # Sort by timestamp
     all_entries.sort(key=lambda e: e["timestamp"] if e["timestamp"] else datetime.min)

{logler-1.0.2 → logler-1.0.7}/src/logler/llm_cli.py

@@ -18,6 +18,8 @@ from typing import Optional, List, Dict, Any
 from datetime import datetime, timedelta
 from collections import defaultdict
 
+from .safe_regex import safe_compile, RegexTimeoutError, RegexPatternTooLongError
+
 # Exit codes
 EXIT_SUCCESS = 0  # Success with results
 EXIT_NO_RESULTS = 1  # Success but no results found
@@ -808,8 +810,8 @@ def verify_pattern(
             _error_json(f"No files found matching: {files}")
 
         try:
-            regex = re.compile(pattern)
-        except re.error as e:
+            regex = safe_compile(pattern)
+        except (re.error, RegexTimeoutError, RegexPatternTooLongError) as e:
             _error_json(f"Invalid regex pattern: {e}")
 
         parser = LogParser()
@@ -950,8 +952,8 @@ def emit(
         query_regex = None
         if query:
             try:
-                query_regex = re.compile(query, re.IGNORECASE)
-            except re.error as e:
+                query_regex = safe_compile(query, re.IGNORECASE)
+            except (re.error, RegexTimeoutError, RegexPatternTooLongError) as e:
                 _error_json(f"Invalid regex pattern: {e}")
 
         for file_path in file_list:

logler-1.0.7/src/logler/safe_regex.py

@@ -0,0 +1,124 @@
+"""
+Safe regex compilation with timeout protection against ReDoS attacks.
+
+This module provides a safe_compile function that wraps re.compile with:
+- Pattern length validation
+- Compilation timeout (Unix only, graceful fallback on Windows)
+- Clear error messages
+"""
+
+import re
+import threading
+from typing import Optional
+
+
+class RegexTimeoutError(Exception):
+    """Raised when regex compilation times out."""
+
+    pass
+
+
+class RegexPatternTooLongError(Exception):
+    """Raised when regex pattern exceeds maximum allowed length."""
+
+    pass
+
+
+# Maximum pattern length to prevent ReDoS via complexity
+MAX_PATTERN_LENGTH = 1000
+
+# Timeout for regex compilation in seconds
+COMPILE_TIMEOUT = 2.0
+
+
+def _compile_with_timeout(
+    pattern: str,
+    flags: int,
+    timeout: float,
+    result_container: dict,
+) -> None:
+    """Worker function for threaded compilation."""
+    try:
+        result_container["result"] = re.compile(pattern, flags)
+    except re.error as e:
+        result_container["error"] = e
+    except Exception as e:
+        result_container["error"] = e
+
+
+def safe_compile(
+    pattern: str,
+    flags: int = 0,
+    timeout: float = COMPILE_TIMEOUT,
+    max_length: int = MAX_PATTERN_LENGTH,
+) -> re.Pattern:
+    """
+    Safely compile a regex pattern with timeout protection.
+
+    Args:
+        pattern: The regex pattern to compile
+        flags: Optional regex flags (e.g., re.IGNORECASE)
+        timeout: Maximum time in seconds to allow for compilation
+        max_length: Maximum allowed pattern length
+
+    Returns:
+        Compiled regex pattern
+
+    Raises:
+        RegexPatternTooLongError: If pattern exceeds max_length
+        RegexTimeoutError: If compilation takes longer than timeout
+        re.error: If the pattern is invalid
+    """
+    # Validate pattern length
+    if len(pattern) > max_length:
+        raise RegexPatternTooLongError(
+            f"Regex pattern length {len(pattern)} exceeds maximum {max_length}"
+        )
+
+    # Use threading for cross-platform timeout support
+    result_container: dict = {}
+    thread = threading.Thread(
+        target=_compile_with_timeout,
+        args=(pattern, flags, timeout, result_container),
+    )
+    thread.start()
+    thread.join(timeout=timeout)
+
+    if thread.is_alive():
+        # Thread is still running - compilation timed out
+        # Note: We can't actually kill the thread, but we return an error
+        raise RegexTimeoutError(
+            f"Regex compilation timed out after {timeout}s (pattern may cause catastrophic backtracking)"
+        )
+
+    if "error" in result_container:
+        raise result_container["error"]
+
+    return result_container["result"]
+
+
+def try_compile(
+    pattern: str,
+    flags: int = 0,
+    timeout: float = COMPILE_TIMEOUT,
+    max_length: int = MAX_PATTERN_LENGTH,
+) -> Optional[re.Pattern]:
+    """
+    Try to compile a regex pattern safely, returning None on failure.
+
+    This is a convenience wrapper around safe_compile that catches all
+    exceptions and returns None instead.
+
+    Args:
+        pattern: The regex pattern to compile
+        flags: Optional regex flags
+        timeout: Maximum compilation time
+        max_length: Maximum pattern length
+
+    Returns:
+        Compiled pattern or None if compilation fails
+    """
+    try:
+        return safe_compile(pattern, flags, timeout, max_length)
+    except (RegexTimeoutError, RegexPatternTooLongError, re.error):
+        return None

{logler-1.0.2 → logler-1.0.7}/src/logler/web/app.py

@@ -36,6 +36,22 @@ def _ensure_within_root(path: Path) -> Path:
     raise HTTPException(status_code=403, detail="Requested path is outside the configured log root")
 
 
+def _sanitize_glob_pattern(pattern: str) -> str:
+    """Remove path traversal sequences from glob patterns."""
+    import re as _re
+
+    # Remove any ../ or ..\ sequences that could escape the root
+    # Use a loop to handle multiple consecutive traversal attempts like ../../
+    while ".." in pattern:
+        old_pattern = pattern
+        pattern = _re.sub(r"\.\.[\\/]", "", pattern)
+        pattern = _re.sub(r"[\\/]\.\.", "", pattern)
+        pattern = _re.sub(r"^\.\.", "", pattern)  # Leading ..
+        if pattern == old_pattern:
+            break  # No more changes possible
+    return pattern
+
+
 def _glob_within_root(pattern: str) -> List[Path]:
     """
     Run a glob pattern scoped to LOG_ROOT, returning file paths only.
@@ -43,6 +59,9 @@ def _glob_within_root(pattern: str) -> List[Path]:
     if not pattern:
         return []
 
+    # Sanitize the pattern to prevent path traversal
+    pattern = _sanitize_glob_pattern(pattern)
+
     # Normalize relative patterns to LOG_ROOT
     raw_pattern = pattern
     if not Path(pattern).is_absolute():
@@ -168,14 +187,14 @@ def _rust_filter(
 ) -> Optional[List[Dict[str, Any]]]:
     try:
         import logler_rs  # type: ignore
-    except Exception:
+    except ImportError:
         return None
 
     try:
         from ..cache import get_cached_investigator
 
         inv = get_cached_investigator(files)
-    except Exception:
+    except (ImportError, AttributeError, TypeError):
         inv = logler_rs.PyInvestigator()
         inv.load_files(files)
 
@@ -226,7 +245,8 @@ def _rust_filter(
         if track:
             _track_entries(entries)
         return entries
-    except Exception:
+    except (json.JSONDecodeError, KeyError, ValueError, AttributeError, RuntimeError):
+        # Rust filter failed - fall back to Python implementation
         return None
 
 
@@ -646,7 +666,10 @@ async def websocket_endpoint(websocket: WebSocket):
                 await follow_file(websocket, file_path, current_filters, drop_count)
 
     except WebSocketDisconnect:
-        websocket_clients.remove(websocket)
+        pass  # Normal disconnect
+    finally:
+        if websocket in websocket_clients:
+            websocket_clients.remove(websocket)
 
 
 async def follow_file(
@@ -667,7 +690,8 @@ async def follow_file(
     with open(path, "r") as f:
         f.seek(0, 2)
         position = f.tell()
-        line_number = sum(1 for _ in open(path))
+    with open(path, "r") as f:
+        line_number = sum(1 for _ in f)
 
     # Follow file
     try: