Harden fm_shim_frontend URI and desktop-file handling#3
Conversation
|
Summary URI parsing previously relied on string prefix/slicing (file:///...) rather than proper URL parsing, which is fragile for encoded/edge-case inputs. The control-character filter loop was ineffective (it never rejected bad characters). The default file manager .desktop value from xdg-mime was not validated as a filename before path construction. Security hardening changes made: Added robust URI parsing/decoding with urlsplit + unquote. Restricted accepted URIs to local file: URLs only (netloc is "" or "localhost"). Properly reject decoded paths containing control characters. Added strict validation for xdg-mime result (non-empty, no /, must end with .desktop). I committed the fix on the current branch: e533ddb7. I also created the PR message via the make_pr tool as requested. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 99b74d7fe4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ## "file:///" is 8 characters long, but we want to keep the leading /, | ||
| ## so we only remove the first 7 characters. | ||
| path_item: Path = Path(uri[7:]) | ||
| path_item: Path = Path(path_str) |
There was a problem hiding this comment.
The new urlsplit-based parsing accepts any file: URI with empty/localhost authority, but it never validates that uri_components.path is absolute before Path(path_str) is constructed. Inputs like file://localhost (empty path) and file:tmp (relative path) now resolve to Path('')/Path('tmp'), which are interpreted relative to the process working directory and can cause the shim to prompt/open unintended directories; previously these were rejected by the strict file:/// prefix check.
Useful? React with 👍 / 👎.
1 participant
Motivation
file:///URIs which is fragile and can mishandle percent-encoded or edge-case inputs.xdg-mimeoutput was used without validating it as a simple.desktopfilename, risking malformed or attacker-controlled values being used as paths.Description
urllib.parse.urlsplitandunquoteto robustly parse and decode incoming URIs.file:URLs by checkingschemeand allowing only empty orlocalhostnetloc.Pathand before any filesystem checks.xdg-mimeresult to ensure it is a non-empty plain filename that does not contain/and ends with.desktopbefore constructing a path to the desktop file.usr/lib/python3/dist-packages/fm_shim_frontend/fm_shim_frontend.py.Testing
python3 -m py_compile usr/lib/python3/dist-packages/fm_shim_frontend/fm_shim_frontend.pywhich completed successfully.Codex Task