tree-sitter-analyzer 1.9.17.1__py3-none-any.whl

tree_sitter_analyzer/security/boundary_manager.py

@@ -0,0 +1,277 @@
+#!/usr/bin/env python3
+"""
+Project Boundary Manager for Tree-sitter Analyzer
+
+Provides strict project boundary control to prevent access to files
+outside the designated project directory.
+"""
+
+from pathlib import Path
+
+from ..exceptions import SecurityError
+from ..utils import log_debug, log_info, log_warning
+
+
+class ProjectBoundaryManager:
+    """
+    Project boundary manager for access control.
+
+    This class enforces strict boundaries around project directories
+    to prevent unauthorized file access outside the project scope.
+
+    Features:
+    - Real path resolution for symlink protection
+    - Configurable allowed directories
+    - Comprehensive boundary checking
+    - Audit logging for security events
+    """
+
+    def __init__(self, project_root: str) -> None:
+        """
+        Initialize project boundary manager.
+
+        Args:
+            project_root: Root directory of the project
+
+        Raises:
+            SecurityError: If project root is invalid
+        """
+        if not project_root:
+            raise SecurityError("Project root cannot be empty")
+
+        try:
+            project_path = Path(project_root)
+
+            # Handle both string and Path objects
+            if isinstance(project_root, str):
+                project_path = Path(project_root)
+            else:
+                raise SecurityError(f"Invalid project root type: {type(project_root)}")
+
+            # Ensure the path exists and is a directory
+            if not project_path.exists():
+                raise SecurityError(f"Project root does not exist: {project_root}")
+
+            if not project_path.is_dir():
+                raise SecurityError(f"Project root is not a directory: {project_root}")
+
+            # Store real path to prevent symlink attacks
+            self.project_root = str(project_path.resolve())
+            self.allowed_directories: set[str] = {self.project_root}
+
+            log_debug(
+                f"ProjectBoundaryManager initialized with root: {self.project_root}"
+            )
+
+        except Exception as e:
+            if isinstance(e, SecurityError):
+                raise
+            raise SecurityError(
+                f"Failed to initialize ProjectBoundaryManager: {e}"
+            ) from e
+
+    def add_allowed_directory(self, directory: str) -> None:
+        """
+        Add an additional allowed directory.
+
+        Args:
+            directory: Directory path to allow access to
+
+        Raises:
+            SecurityError: If directory is invalid
+        """
+        if not directory:
+            raise SecurityError("Directory cannot be empty")
+
+        dir_path = Path(directory)
+        if not dir_path.exists():
+            raise SecurityError(f"Directory does not exist: {directory}")
+
+        if not dir_path.is_dir():
+            raise SecurityError(f"Path is not a directory: {directory}")
+
+        real_dir = str(dir_path.resolve())
+        self.allowed_directories.add(real_dir)
+
+        log_info(f"Added allowed directory: {real_dir}")
+
+    def is_within_project(self, file_path: str) -> bool:
+        """
+        Check if file path is within project boundaries.
+
+        Args:
+            file_path: File path to check
+
+        Returns:
+            True if path is within allowed boundaries
+        """
+        try:
+            if not file_path:
+                log_warning("Empty file path provided to boundary check")
+                return False
+
+            # Resolve real path to handle symlinks
+            real_path = str(Path(file_path).resolve())
+
+            # Check against all allowed directories
+            for allowed_dir in self.allowed_directories:
+                # Use pathlib to check if path is within allowed directory
+                try:
+                    Path(real_path).relative_to(Path(allowed_dir))
+                    log_debug(f"File path within boundaries: {file_path}")
+                    return True
+                except ValueError:
+                    # Path is not within this allowed directory, continue checking
+                    continue
+
+            log_warning(f"File path outside boundaries: {file_path} -> {real_path}")
+            return False
+
+        except Exception as e:
+            log_warning(f"Boundary check error for {file_path}: {e}")
+            return False
+
+    def get_relative_path(self, file_path: str) -> str | None:
+        """
+        Get relative path from project root if within boundaries.
+
+        Args:
+            file_path: File path to convert
+
+        Returns:
+            Relative path from project root, or None if outside boundaries
+        """
+        if not self.is_within_project(file_path):
+            return None
+
+        try:
+            real_path = Path(file_path).resolve()
+            try:
+                rel_path = real_path.relative_to(Path(self.project_root))
+            except ValueError:
+                # Path is not relative to project root
+                log_warning(f"Path not relative to project root: {file_path}")
+                return None
+
+            # Ensure relative path doesn't start with ..
+            if str(rel_path).startswith(".."):
+                log_warning(f"Relative path calculation failed: {rel_path}")
+                return None
+
+            return str(rel_path)
+
+        except Exception as e:
+            log_warning(f"Relative path calculation error: {e}")
+            return None
+
+    def validate_and_resolve_path(self, file_path: str) -> str | None:
+        """
+        Validate path and return resolved absolute path if within boundaries.
+
+        Args:
+            file_path: File path to validate and resolve
+
+        Returns:
+            Resolved absolute path if valid, None otherwise
+        """
+        try:
+            # Handle relative paths from project root
+            file_path_obj = Path(file_path)
+            if not file_path_obj.is_absolute():
+                full_path = Path(self.project_root) / file_path
+            else:
+                full_path = file_path_obj
+
+            # Check boundaries
+            if not self.is_within_project(str(full_path)):
+                return None
+
+            # Return real path
+            return str(full_path.resolve())
+
+        except Exception as e:
+            log_warning(f"Path validation error: {e}")
+            return None
+
+    def list_allowed_directories(self) -> set[str]:
+        """
+        Get list of all allowed directories.
+
+        Returns:
+            Set of allowed directory paths
+        """
+        return self.allowed_directories.copy()
+
+    def is_symlink_safe(self, file_path: str) -> bool:
+        """
+        Check if file path is safe from symlink attacks.
+
+        Args:
+            file_path: File path to check
+
+        Returns:
+            True if path is safe from symlink attacks
+        """
+        try:
+            file_path_obj = Path(file_path)
+            if not file_path_obj.exists():
+                return True  # Non-existent files are safe
+
+            # If the fully resolved path is within project boundaries, we treat it as safe.
+            # This makes the check tolerant to system-level symlinks like
+            # /var -> /private/var on macOS runners.
+            resolved = str(file_path_obj.resolve())
+            if self.is_within_project(resolved):
+                return True
+
+            # Otherwise, inspect each path component symlink to ensure no hop jumps outside
+            # the allowed directories.
+            path_parts = file_path_obj.parts
+            current_path = Path()
+
+            for part in path_parts:
+                current_path = current_path / part if current_path.parts else Path(part)
+
+                if current_path.is_symlink():
+                    target = str(current_path.resolve())
+                    if not self.is_within_project(target):
+                        log_warning(
+                            f"Unsafe symlink detected: {current_path} -> {target}"
+                        )
+                        return False
+
+            # If no unsafe hop found, consider safe
+            return True
+
+        except Exception as e:
+            log_warning(f"Symlink safety check error: {e}")
+            return False
+
+    def audit_access(self, file_path: str, operation: str) -> None:
+        """
+        Log file access for security auditing.
+
+        Args:
+            file_path: File path being accessed
+            operation: Type of operation (read, write, analyze, etc.)
+        """
+        is_within = self.is_within_project(file_path)
+        status = "ALLOWED" if is_within else "DENIED"
+
+        log_info(f"AUDIT: {status} {operation} access to {file_path}")
+
+        if not is_within:
+            log_warning(f"SECURITY: Unauthorized access attempt to {file_path}")
+
+    def __str__(self) -> str:
+        """String representation of boundary manager."""
+        return f"ProjectBoundaryManager(root={self.project_root}, allowed_dirs={len(self.allowed_directories)})"
+
+    def __repr__(self) -> str:
+        """Detailed representation of boundary manager."""
+        return (
+            f"ProjectBoundaryManager("
+            f"project_root='{self.project_root}', "
+            f"allowed_directories={self.allowed_directories}"
+            f")"
+        )

tree_sitter_analyzer/security/regex_checker.py

@@ -0,0 +1,297 @@
+#!/usr/bin/env python3
+"""
+Regex Safety Checker for Tree-sitter Analyzer
+
+Provides ReDoS (Regular Expression Denial of Service) attack prevention
+by analyzing regex patterns for potentially dangerous constructs.
+"""
+
+import re
+import time
+
+from ..utils import log_debug, log_warning
+
+
+class RegexSafetyChecker:
+    """
+    Regex safety checker for ReDoS attack prevention.
+
+    This class analyzes regular expressions for patterns that could
+    lead to catastrophic backtracking and ReDoS attacks.
+
+    Features:
+    - Pattern complexity analysis
+    - Dangerous construct detection
+    - Execution time monitoring
+    - Safe pattern compilation
+    """
+
+    # Maximum allowed pattern length
+    MAX_PATTERN_LENGTH = 1000
+
+    # Maximum execution time for pattern testing (seconds)
+    MAX_EXECUTION_TIME = 1.0
+
+    # Dangerous regex patterns that can cause ReDoS
+    DANGEROUS_PATTERNS = [
+        # Nested quantifiers
+        r"\(.+\)\+",  # (a+)+
+        r"\(.*\)\*",  # (a*)*
+        r"\(.{0,}\)\+",  # (.{0,})+
+        r"\(.+\)\{.*\}",  # (a+){n,m}
+        # Alternation with overlap
+        r"\(a\|a\)\*",  # (a|a)*
+        r"\([^|]*\|[^|]*\)\+",  # (abc|abd)+
+        # Exponential backtracking patterns
+        r"\(.*\)\1",  # (.*)\1 - backreference
+        r"\(\?\=.*\)\+",  # (?=.*)+
+        r"\(\?\!.*\)\+",  # (?!.*)+
+        r"\(\?\<\=.*\)\+",  # (?<=.*)+
+        r"\(\?\<\!.*\)\+",  # (?<!.*)+
+        # Catastrophic patterns
+        r"\([^)]*\+[^)]*\)\+",  # Nested + quantifiers
+        r"\([^)]*\*[^)]*\)\*",  # Nested * quantifiers
+    ]
+
+    def __init__(self) -> None:
+        """Initialize regex safety checker."""
+        log_debug("RegexSafetyChecker initialized")
+
+    def validate_pattern(self, pattern: str) -> tuple[bool, str]:
+        """
+        Validate regex pattern for safety.
+
+        Args:
+            pattern: Regex pattern to validate
+
+        Returns:
+            Tuple of (is_safe, error_message)
+
+        Example:
+            >>> checker = RegexSafetyChecker()
+            >>> is_safe, error = checker.validate_pattern(r"hello.*world")
+            >>> assert is_safe
+        """
+        try:
+            # Basic validation
+            if not pattern or not isinstance(pattern, str):
+                return False, "Pattern must be a non-empty string"
+
+            # Length check
+            if len(pattern) > self.MAX_PATTERN_LENGTH:
+                return (
+                    False,
+                    f"Pattern too long: {len(pattern)} > {self.MAX_PATTERN_LENGTH}",
+                )
+
+            # Check for dangerous patterns
+            dangerous_found = self._check_dangerous_patterns(pattern)
+            if dangerous_found:
+                return (
+                    False,
+                    f"Potentially dangerous regex pattern detected: {dangerous_found}",
+                )
+
+            # Compilation check
+            compilation_error = self._check_compilation(pattern)
+            if compilation_error:
+                return False, f"Invalid regex pattern: {compilation_error}"
+
+            # Performance check
+            performance_error = self._check_performance(pattern)
+            if performance_error:
+                return False, f"Pattern performance issue: {performance_error}"
+
+            log_debug(f"Regex pattern validation passed: {pattern}")
+            return True, ""
+
+        except Exception as e:
+            log_warning(f"Regex validation error: {e}")
+            return False, f"Validation error: {str(e)}"
+
+    def _check_dangerous_patterns(self, pattern: str) -> str | None:
+        """
+        Check for known dangerous regex patterns.
+
+        Args:
+            pattern: Pattern to check
+
+        Returns:
+            Description of dangerous pattern found, or None if safe
+        """
+        for dangerous_pattern in self.DANGEROUS_PATTERNS:
+            try:
+                if re.search(dangerous_pattern, pattern):
+                    log_warning(
+                        f"Dangerous pattern detected: {dangerous_pattern} in {pattern}"
+                    )
+                    return dangerous_pattern
+            except re.error:
+                # If the dangerous pattern itself is invalid, skip it
+                continue
+
+        return None
+
+    def _check_compilation(self, pattern: str) -> str | None:
+        """
+        Check if pattern compiles successfully.
+
+        Args:
+            pattern: Pattern to compile
+
+        Returns:
+            Error message if compilation fails, None if successful
+        """
+        try:
+            re.compile(pattern)
+            return None
+        except re.error as e:
+            log_warning(f"Regex compilation failed: {e}")
+            return str(e)
+
+    def _check_performance(self, pattern: str) -> str | None:
+        """
+        Check pattern performance with test strings.
+
+        Args:
+            pattern: Pattern to test
+
+        Returns:
+            Error message if performance is poor, None if acceptable
+        """
+        try:
+            compiled_pattern = re.compile(pattern)
+
+            # Test strings that might cause backtracking
+            test_strings = [
+                "a" * 100,  # Long string of same character
+                "ab" * 50,  # Alternating pattern
+                "x" * 50 + "y",  # Long string with different ending
+                "a" * 30 + "b" * 30 + "c" * 30,  # Mixed long string
+            ]
+
+            for test_string in test_strings:
+                start_time = time.time()
+
+                try:
+                    # Test both search and match operations
+                    compiled_pattern.search(test_string)
+                    compiled_pattern.match(test_string)
+
+                    execution_time = time.time() - start_time
+
+                    if execution_time > self.MAX_EXECUTION_TIME:
+                        log_warning(
+                            f"Regex performance issue: {execution_time:.3f}s > {self.MAX_EXECUTION_TIME}s"
+                        )
+                        return f"Pattern execution too slow: {execution_time:.3f}s"
+
+                except Exception as e:
+                    log_warning(f"Regex execution error: {e}")
+                    return f"Pattern execution error: {str(e)}"
+
+            return None
+
+        except Exception as e:
+            log_warning(f"Performance check error: {e}")
+            return f"Performance check failed: {str(e)}"
+
+    def analyze_complexity(self, pattern: str) -> dict:
+        """
+        Analyze regex pattern complexity.
+
+        Args:
+            pattern: Pattern to analyze
+
+        Returns:
+            Dictionary with complexity metrics
+        """
+        try:
+            metrics = {
+                "length": len(pattern),
+                "quantifiers": len(re.findall(r"[+*?{]", pattern)),
+                "groups": len(re.findall(r"\(", pattern)),
+                "alternations": len(re.findall(r"\|", pattern)),
+                "character_classes": len(re.findall(r"\[", pattern)),
+                "anchors": len(re.findall(r"[\^$]", pattern)),
+                "complexity_score": 0,
+            }
+
+            # Calculate complexity score
+            metrics["complexity_score"] = (
+                int(metrics["length"] * 0.1)
+                + metrics["quantifiers"] * 2
+                + int(metrics["groups"] * 1.5)
+                + metrics["alternations"] * 3
+                + metrics["character_classes"] * 1
+            )
+
+            return metrics
+
+        except Exception as e:
+            log_warning(f"Complexity analysis error: {e}")
+            return {"error": str(e)}
+
+    def suggest_safer_pattern(self, pattern: str) -> str | None:
+        """
+        Suggest a safer alternative for dangerous patterns.
+
+        Args:
+            pattern: Original pattern
+
+        Returns:
+            Suggested safer pattern, or None if no suggestion available
+        """
+        # Only suggest for patterns that are actually dangerous
+        is_dangerous = self._check_dangerous_patterns(pattern)
+        if not is_dangerous:
+            return None
+
+        # Simple pattern replacements for common dangerous cases
+        replacements = {
+            r"\(.+\)\+": r"[^\\s]+",  # Replace (a+)+ with [^\s]+
+            r"\(.*\)\*": r"[^\\s]*",  # Replace (.*)* with [^\s]*
+        }
+
+        for dangerous, safer in replacements.items():
+            if re.search(dangerous, pattern):
+                suggested = re.sub(dangerous, safer, pattern)
+                log_debug(f"Suggested safer pattern: {pattern} -> {suggested}")
+                return suggested
+
+        return None
+
+    def get_safe_flags(self) -> int:
+        """
+        Get recommended safe regex flags.
+
+        Returns:
+            Combination of safe regex flags
+        """
+        # Use flags that prevent some ReDoS attacks
+        return re.MULTILINE | re.DOTALL
+
+    def create_safe_pattern(
+        self, pattern: str, flags: int | None = None
+    ) -> re.Pattern | None:
+        """
+        Create a safely compiled regex pattern.
+
+        Args:
+            pattern: Pattern to compile
+            flags: Optional regex flags
+
+        Returns:
+            Compiled pattern if safe, None if dangerous
+        """
+        is_safe, error = self.validate_pattern(pattern)
+        if not is_safe:
+            log_warning(f"Cannot create unsafe pattern: {error}")
+            return None
+
+        try:
+            safe_flags = flags if flags is not None else self.get_safe_flags()
+            return re.compile(pattern, safe_flags)
+        except re.error as e:
+            log_warning(f"Pattern compilation failed: {e}")
+            return None