oscura 0.10.0__py3-none-any.whl → 0.11.0__py3-none-any.whl

oscura/__init__.py

@@ -53,7 +53,7 @@ try:
     __version__ = version("oscura")
 except Exception:
     # Fallback for development/testing when package not installed
-    __version__ = "0.10.0"
+    __version__ = "0.11.0"
 
 __author__ = "Oscura Contributors"
 

oscura/__main__.py

@@ -106,6 +106,10 @@ def download_file(url: str, dest: Path, checksum: str | None = None) -> bool:
         # Create SSL context that works in most environments
         context = ssl.create_default_context()
 
+        # SEC-003: Validate URL scheme to prevent file:// attacks
+        if not url.startswith(("http://", "https://")):
+            raise ValueError(f"Unsupported URL scheme (only http/https allowed): {url}")
+
         print(f"  Downloading: {url}")
 
         with urllib.request.urlopen(url, context=context, timeout=30) as response:

oscura/analyzers/ml/signal_classifier.py

@@ -458,6 +458,12 @@ class MLSignalClassifier:
         Restores the complete model state including the ML model, feature scaler,
         feature names, and class labels.
 
+        Warning:
+            **Security**: Model files use pickle serialization. Only load model files
+            from trusted sources. Loading untrusted model files can execute arbitrary
+            code (CWE-502: Deserialization of Untrusted Data). Consider implementing
+            HMAC signature verification for production deployments.
+
         Args:
             path: Path to saved model file.
 

oscura/analyzers/waveform/spectral.py

@@ -17,6 +17,7 @@ References:
 
 from __future__ import annotations
 
+import threading
 from functools import lru_cache
 from typing import TYPE_CHECKING, Any, Literal
 
@@ -32,8 +33,9 @@ if TYPE_CHECKING:
 
     from oscura.core.types import MeasurementResult, WaveformTrace
 
-# Global FFT cache statistics
+# Global FFT cache statistics (thread-safe)
 _fft_cache_stats = {"hits": 0, "misses": 0, "size": 128}
+_fft_cache_lock = threading.Lock()
 
 
 def get_fft_cache_stats() -> dict[str, int]:
@@ -46,7 +48,8 @@ def get_fft_cache_stats() -> dict[str, int]:
         >>> stats = get_fft_cache_stats()
         >>> print(f"Cache hit rate: {stats['hits'] / (stats['hits'] + stats['misses']):.1%}")
     """
-    return _fft_cache_stats.copy()
+    with _fft_cache_lock:
+        return _fft_cache_stats.copy()
 
 
 def clear_fft_cache() -> None:
@@ -58,8 +61,9 @@ def clear_fft_cache() -> None:
         >>> clear_fft_cache()  # Clear cached FFT results
     """
     _compute_fft_cached.cache_clear()
-    _fft_cache_stats["hits"] = 0
-    _fft_cache_stats["misses"] = 0
+    with _fft_cache_lock:
+        _fft_cache_stats["hits"] = 0
+        _fft_cache_stats["misses"] = 0
 
 
 def configure_fft_cache(size: int) -> None:
@@ -72,11 +76,12 @@ def configure_fft_cache(size: int) -> None:
         >>> configure_fft_cache(256)  # Increase cache size for better hit rate
     """
     global _compute_fft_cached
-    _fft_cache_stats["size"] = size
-    # Recreate cache with new size
-    _compute_fft_cached = lru_cache(maxsize=size)(_compute_fft_impl)
-    _fft_cache_stats["hits"] = 0
-    _fft_cache_stats["misses"] = 0
+    with _fft_cache_lock:
+        _fft_cache_stats["size"] = size
+        # Recreate cache with new size
+        _compute_fft_cached = lru_cache(maxsize=size)(_compute_fft_impl)
+        _fft_cache_stats["hits"] = 0
+        _fft_cache_stats["misses"] = 0
 
 
 def _compute_fft_impl(
@@ -270,7 +275,8 @@ def _fft_cached_path(
     freq, magnitude_db, phase = _compute_fft_cached(
         data_bytes, n, window, nfft_computed, detrend, sample_rate
     )
-    _fft_cache_stats["hits"] += 1
+    with _fft_cache_lock:
+        _fft_cache_stats["hits"] += 1
 
     if return_phase:
         return freq, magnitude_db, phase
@@ -302,7 +308,8 @@ def _fft_direct_path(
     Returns:
         FFT results (with or without phase).
     """
-    _fft_cache_stats["misses"] += 1
+    with _fft_cache_lock:
+        _fft_cache_stats["misses"] += 1
 
     w = get_window(window, n)
     data_windowed = data_processed * w

oscura/automotive/__init__.py

@@ -49,7 +49,7 @@ try:
     __version__ = version("oscura")
 except Exception:
     # Fallback for development/testing when package not installed
-    __version__ = "0.10.0"
+    __version__ = "0.11.0"
 
 __all__ = [
     "CANMessage",

oscura/automotive/dtc/data.json

@@ -266,12 +266,7 @@
       "category": "Powertrain",
       "severity": "High",
       "system": "Throttle Control",
-      "possible_causes": [
-        "TPS circuit shorted to voltage",
-        "Faulty TPS sensor",
-        "Wiring harness open",
-        "ECM problem"
-      ]
+      "possible_causes": ["TPS circuit shorted to voltage", "Faulty TPS sensor", "Wiring harness open", "ECM problem"]
     },
     "P0125": {
       "code": "P0125",
@@ -865,12 +860,7 @@
       "category": "Powertrain",
       "severity": "Medium",
       "system": "Emissions Control",
-      "possible_causes": [
-        "EGR valve stuck closed",
-        "EGR passages clogged",
-        "Faulty EGR valve",
-        "Vacuum leak"
-      ]
+      "possible_causes": ["EGR valve stuck closed", "EGR passages clogged", "Faulty EGR valve", "Vacuum leak"]
     },
     "P0401": {
       "code": "P0401",
@@ -891,12 +881,7 @@
       "category": "Powertrain",
       "severity": "Medium",
       "system": "Emissions Control",
-      "possible_causes": [
-        "EGR valve stuck open",
-        "Faulty EGR valve",
-        "EGR vacuum solenoid fault",
-        "ECM problem"
-      ]
+      "possible_causes": ["EGR valve stuck open", "Faulty EGR valve", "EGR vacuum solenoid fault", "ECM problem"]
     },
     "P0403": {
       "code": "P0403",
@@ -958,12 +943,7 @@
       "category": "Powertrain",
       "severity": "Low",
       "system": "Emissions Control",
-      "possible_causes": [
-        "Loose or missing fuel cap",
-        "EVAP system leak",
-        "Faulty purge valve",
-        "Faulty vent valve"
-      ]
+      "possible_causes": ["Loose or missing fuel cap", "EVAP system leak", "Faulty purge valve", "Faulty vent valve"]
     },
     "P0441": {
       "code": "P0441",
@@ -1075,12 +1055,7 @@
       "category": "Powertrain",
       "severity": "Low",
       "system": "Idle Control",
-      "possible_causes": [
-        "Vacuum leak",
-        "IAC valve fault",
-        "Dirty throttle body",
-        "PCV valve problem"
-      ]
+      "possible_causes": ["Vacuum leak", "IAC valve fault", "Dirty throttle body", "PCV valve problem"]
     },
     "P0507": {
       "code": "P0507",
@@ -1088,12 +1063,7 @@
       "category": "Powertrain",
       "severity": "Low",
       "system": "Idle Control",
-      "possible_causes": [
-        "Vacuum leak",
-        "IAC valve stuck open",
-        "PCV valve stuck open",
-        "EVAP purge valve leaking"
-      ]
+      "possible_causes": ["Vacuum leak", "IAC valve stuck open", "PCV valve stuck open", "EVAP purge valve leaking"]
     },
     "P0600": {
       "code": "P0600",
@@ -1127,12 +1097,7 @@
       "category": "Powertrain",
       "severity": "Critical",
       "system": "Engine Control Module",
-      "possible_causes": [
-        "ECM not programmed",
-        "ECM programming incomplete",
-        "Wrong software version",
-        "ECM fault"
-      ]
+      "possible_causes": ["ECM not programmed", "ECM programming incomplete", "Wrong software version", "ECM fault"]
     },
     "P0603": {
       "code": "P0603",
@@ -1205,12 +1170,7 @@
       "category": "Powertrain",
       "severity": "Medium",
       "system": "Charging System",
-      "possible_causes": [
-        "Faulty alternator",
-        "Wiring harness problem",
-        "Poor electrical connection",
-        "ECM fault"
-      ]
+      "possible_causes": ["Faulty alternator", "Wiring harness problem", "Poor electrical connection", "ECM fault"]
     },
     "P0625": {
       "code": "P0625",
@@ -1283,12 +1243,7 @@
       "category": "Powertrain",
       "severity": "High",
       "system": "Transmission",
-      "possible_causes": [
-        "Faulty input speed sensor",
-        "Wiring harness problem",
-        "Sensor reluctor damaged",
-        "TCM fault"
-      ]
+      "possible_causes": ["Faulty input speed sensor", "Wiring harness problem", "Sensor reluctor damaged", "TCM fault"]
     },
     "P0720": {
       "code": "P0720",
@@ -1491,12 +1446,7 @@
       "category": "Chassis",
       "severity": "High",
       "system": "ABS",
-      "possible_causes": [
-        "Faulty valve relay",
-        "Relay circuit problem",
-        "ABS module fault",
-        "Wiring harness issue"
-      ]
+      "possible_causes": ["Faulty valve relay", "Relay circuit problem", "ABS module fault", "Wiring harness issue"]
     },
     "C0161": {
       "code": "C0161",
@@ -2206,12 +2156,7 @@
       "category": "Body",
       "severity": "Low",
       "system": "Lighting System",
-      "possible_causes": [
-        "Burned out bulb",
-        "Wiring harness problem",
-        "Lamp socket corrosion",
-        "BCM fault"
-      ]
+      "possible_causes": ["Burned out bulb", "Wiring harness problem", "Lamp socket corrosion", "BCM fault"]
     },
     "B0601": {
       "code": "B0601",
@@ -2232,12 +2177,7 @@
       "category": "Body",
       "severity": "Low",
       "system": "Lighting System",
-      "possible_causes": [
-        "Burned out turn signal bulb",
-        "Wiring harness problem",
-        "Flasher relay fault",
-        "BCM fault"
-      ]
+      "possible_causes": ["Burned out turn signal bulb", "Wiring harness problem", "Flasher relay fault", "BCM fault"]
     },
     "B0603": {
       "code": "B0603",
@@ -2245,12 +2185,7 @@
       "category": "Body",
       "severity": "Low",
       "system": "Lighting System",
-      "possible_causes": [
-        "Burned out turn signal bulb",
-        "Wiring harness problem",
-        "Flasher relay fault",
-        "BCM fault"
-      ]
+      "possible_causes": ["Burned out turn signal bulb", "Wiring harness problem", "Flasher relay fault", "BCM fault"]
     },
     "B0604": {
       "code": "B0604",
@@ -2362,12 +2297,7 @@
       "category": "Body",
       "severity": "Low",
       "system": "Keyless Entry",
-      "possible_causes": [
-        "Key fob battery weak",
-        "Key fob not synchronized",
-        "BCM fault",
-        "Receiver antenna fault"
-      ]
+      "possible_causes": ["Key fob battery weak", "Key fob not synchronized", "BCM fault", "Receiver antenna fault"]
     },
     "B1300": {
       "code": "B1300",
@@ -2466,12 +2396,7 @@
       "category": "Network",
       "severity": "Critical",
       "system": "CAN Bus",
-      "possible_causes": [
-        "TCM not powered",
-        "CAN bus wiring problem",
-        "TCM internal fault",
-        "CAN bus short circuit"
-      ]
+      "possible_causes": ["TCM not powered", "CAN bus wiring problem", "TCM internal fault", "CAN bus short circuit"]
     },
     "U0102": {
       "code": "U0102",
@@ -2544,12 +2469,7 @@
       "category": "Network",
       "severity": "High",
       "system": "CAN Bus",
-      "possible_causes": [
-        "BCM not powered",
-        "CAN bus wiring problem",
-        "BCM internal fault",
-        "Ground connection issue"
-      ]
+      "possible_causes": ["BCM not powered", "CAN bus wiring problem", "BCM internal fault", "Ground connection issue"]
     },
     "U0141": {
       "code": "U0141",
@@ -2557,12 +2477,7 @@
       "category": "Network",
       "severity": "High",
       "system": "CAN Bus",
-      "possible_causes": [
-        "BCM not powered",
-        "CAN bus wiring problem",
-        "Module internal fault",
-        "Connector problem"
-      ]
+      "possible_causes": ["BCM not powered", "CAN bus wiring problem", "Module internal fault", "Connector problem"]
     },
     "U0151": {
       "code": "U0151",

oscura/automotive/flexray/fibex.py

@@ -299,7 +299,15 @@ class FIBEXImporter:
         if not fibex_path.exists():
             raise FileNotFoundError(f"FIBEX file not found: {fibex_path}")
 
-        tree = ET.parse(fibex_path)
+        # SEC-004: Protect against XXE attacks by disabling entity expansion
+        parser = ET.XMLParser()
+        try:
+            # Python < 3.12: entity attribute is writable
+            parser.entity = {}  # type: ignore[misc]
+        except AttributeError:
+            # Python >= 3.12: entity attribute is read-only, default behavior is safe
+            pass
+        tree = ET.parse(fibex_path, parser=parser)
         root = tree.getroot()
 
         # Extract cluster configuration

oscura/core/schemas/device_mapping.json

@@ -149,20 +149,14 @@
           "type": "array",
           "description": "Device IDs to include (whitelist)",
           "items": {
-            "oneOf": [
-              { "type": "integer" },
-              { "type": "string", "pattern": "^0[xX][0-9A-Fa-f]+$" }
-            ]
+            "oneOf": [{ "type": "integer" }, { "type": "string", "pattern": "^0[xX][0-9A-Fa-f]+$" }]
           }
         },
         "exclude_devices": {
           "type": "array",
           "description": "Device IDs to exclude (blacklist)",
           "items": {
-            "oneOf": [
-              { "type": "integer" },
-              { "type": "string", "pattern": "^0[xX][0-9A-Fa-f]+$" }
-            ]
+            "oneOf": [{ "type": "integer" }, { "type": "string", "pattern": "^0[xX][0-9A-Fa-f]+$" }]
           }
         },
         "include_categories": {

oscura/core/schemas/packet_format.json

@@ -118,10 +118,7 @@
               },
               "value": {
                 "description": "Expected constant value for validation",
-                "oneOf": [
-                  { "type": "integer" },
-                  { "type": "array", "items": { "type": "integer" } }
-                ]
+                "oneOf": [{ "type": "integer" }, { "type": "array", "items": { "type": "integer" } }]
               },
               "description": {
                 "type": "string",
@@ -188,18 +185,7 @@
             },
             "type": {
               "type": "string",
-              "enum": [
-                "uint8",
-                "uint16",
-                "uint32",
-                "uint64",
-                "int8",
-                "int16",
-                "int32",
-                "int64",
-                "float32",
-                "float64"
-              ],
+              "enum": ["uint8", "uint16", "uint32", "uint64", "int8", "int16", "int32", "int64", "float32", "float64"],
               "description": "Sample data type"
             },
             "endian": {
@@ -303,10 +289,7 @@
             },
             "expected": {
               "description": "Expected value",
-              "oneOf": [
-                { "type": "integer" },
-                { "type": "array", "items": { "type": "integer" } }
-              ]
+              "oneOf": [{ "type": "integer" }, { "type": "array", "items": { "type": "integer" } }]
             },
             "on_failure": {
               "type": "string",
@@ -379,10 +362,7 @@
             },
             "pattern": {
               "description": "Idle pattern to detect",
-              "oneOf": [
-                { "type": "string", "enum": ["auto", "zeros", "ones"] },
-                { "type": "integer" }
-              ]
+              "oneOf": [{ "type": "string", "enum": ["auto", "zeros", "ones"] }, { "type": "integer" }]
             },
             "min_duration": {
               "type": "integer",

oscura/core/schemas/protocol_definition.json

@@ -241,12 +241,7 @@
         },
         "value": {
           "description": "Expected constant value for validation",
-          "oneOf": [
-            { "type": "integer" },
-            { "type": "number" },
-            { "type": "string" },
-            { "type": "array" }
-          ]
+          "oneOf": [{ "type": "integer" }, { "type": "number" }, { "type": "string" }, { "type": "array" }]
         },
         "condition": {
           "type": "string",
@@ -331,12 +326,7 @@
             },
             "expected": {
               "description": "Expected value",
-              "oneOf": [
-                { "type": "integer" },
-                { "type": "number" },
-                { "type": "string" },
-                { "type": "array" }
-              ]
+              "oneOf": [{ "type": "integer" }, { "type": "number" }, { "type": "string" }, { "type": "array" }]
             },
             "on_mismatch": {
               "type": "string",

oscura/loaders/validation.py

@@ -475,24 +475,31 @@ class PacketValidator:
 
     @staticmethod
     def _crc32(data: bytes, poly: int = 0xEDB88320) -> int:
-        """Compute CRC-32 checksum.
+        """Compute CRC-32 checksum using native implementation.
 
         Args:
             data: Data to checksum.
             poly: CRC polynomial (default: 0xEDB88320 for CRC-32).
+                  Note: Only standard CRC-32 polynomial is supported by native implementation.
 
         Returns:
             CRC-32 value.
+
+        Note:
+            Uses zlib.crc32() for performance (~100x faster than pure Python).
+            Custom polynomials are not supported - raises ValueError if non-standard poly provided.
         """
-        crc = 0xFFFFFFFF
-        for byte in data:
-            crc ^= byte
-            for _ in range(8):
-                if crc & 1:
-                    crc = (crc >> 1) ^ poly
-                else:
-                    crc >>= 1
-        return crc ^ 0xFFFFFFFF
+        import zlib
+
+        # Verify standard CRC-32 polynomial (zlib only supports this)
+        if poly != 0xEDB88320:
+            raise ValueError(
+                f"Non-standard CRC polynomial {poly:#x} not supported by native implementation. "
+                "Only standard CRC-32 (0xEDB88320) is available."
+            )
+
+        # zlib.crc32 returns signed int on some platforms, mask to unsigned
+        return zlib.crc32(data) & 0xFFFFFFFF
 
     def get_statistics(self) -> ValidationStats:
         """Get aggregate validation statistics.

oscura/sessions/legacy.py

@@ -17,6 +17,7 @@ import gzip
 import hashlib
 import hmac
 import pickle
+import secrets
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
@@ -28,7 +29,45 @@ from oscura.core.exceptions import SecurityError
 # Session file format constants
 _SESSION_MAGIC = b"OSC1"  # Magic bytes for new format with signature
 _SESSION_SIGNATURE_SIZE = 32  # SHA256 hash size in bytes
-_SECURITY_KEY = hashlib.sha256(b"oscura-session-v1").digest()
+
+
+def _get_security_key() -> bytes:
+    """Get or generate per-installation session security key.
+
+    The key is generated once per installation and stored in ~/.oscura/session_key
+    with restrictive permissions (0o600). This provides better security than a
+    shared hardcoded key.
+
+    Returns:
+        32-byte security key for HMAC signing.
+    """
+    key_file = Path.home() / ".oscura" / "session_key"
+
+    if key_file.exists():
+        # Load existing key
+        try:
+            return key_file.read_bytes()
+        except (OSError, PermissionError):
+            # Fall back to generating new key if can't read
+            pass
+
+    # Generate new random key
+    key_file.parent.mkdir(parents=True, exist_ok=True)
+    key = secrets.token_bytes(32)
+
+    # Write with restrictive permissions
+    try:
+        key_file.write_bytes(key)
+        key_file.chmod(0o600)  # Owner read/write only
+    except (OSError, PermissionError):
+        # Can't write key file - continue with ephemeral key
+        # This happens in read-only filesystems or restricted environments
+        pass
+
+    return key
+
+
+_SECURITY_KEY = _get_security_key()
 
 
 class AnnotationType(Enum):
@@ -709,6 +748,15 @@ class Session:
 def load_session(path: str | Path) -> Session:
     """Load session from file.
 
+    This function implements HMAC-SHA256 signature verification before deserializing
+    session data to protect against tampering and malicious file modifications.
+
+    Security:
+        Session files are protected with HMAC-SHA256 signatures. Only load session
+        files from trusted sources. While HMAC verification prevents tampering,
+        the shared security key means all installations can verify each other's
+        files. Consider using per-installation keys for sensitive deployments.
+
     Args:
         path: Path to session file (.tks).
 

oscura/workflows/batch/aggregate.py

@@ -339,7 +339,11 @@ def _create_metric_plot(
         plot_file.parent.mkdir(parents=True, exist_ok=True)
         plt.savefig(plot_file)
     else:
-        plt.show()
+        # Try to show, but gracefully handle non-interactive backends
+        try:
+            plt.show()
+        except Exception:
+            pass  # Silently skip if backend doesn't support interactive display
 
 
 def _plot_histogram(