Skip to content

Fix SDK minor bugs and publish v1.4.3#33

Merged
thebenignhacker merged 1 commit intomainfrom
fix/sdk-minor-bugs-1.4.3
Mar 18, 2026
Merged

Fix SDK minor bugs and publish v1.4.3#33
thebenignhacker merged 1 commit intomainfrom
fix/sdk-minor-bugs-1.4.3

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 18, 2026

Summary

  • Add base_url alias for CryptoClient constructor (backwards compat)
  • Clarify offline encrypt/decrypt docstrings (no context param in offline mode)
  • Bump version to 1.4.3, published to PyPI

Test plan

  • 173 Python tests pass
  • base_url alias verified working
  • Published to PyPI: cryptoserve 1.4.3

@thebenignhacker
fix: SDK minor bugs and publish v1.4.3
46540c4 
- Add base_url keyword alias to CryptoClient and AsyncCryptoClient for
  backwards compatibility with code that uses base_url instead of server_url
- Clarify easy.py encrypt/decrypt docstrings to explicitly state these are
  offline password-based functions, not server-connected operations
- Bump version to 1.4.3 and publish to PyPI
@thebenignhacker thebenignhacker merged commit 73ebc3f into main Mar 18, 2026
8 checks passed
@thebenignhacker thebenignhacker deleted the fix/sdk-minor-bugs-1.4.3 branch March 18, 2026 16:06
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026
edited
Loading

Claude finished @thebenignhacker's task —— View job

Security Review Complete ✅

Performed comprehensive security-focused review of PR #33.

Tasks

  • Read changed files
  • Analyze for injection vulnerabilities
  • Check authentication/authorization
  • Review deserialization and eval usage
  • Scan for hardcoded credentials
  • Check SSRF/redirect risks
  • Review cryptographic usage
  • Check for prototype pollution (JS)
  • Review regex for ReDoS
  • Check command injection vectors
  • Trace logic bugs in scoring/gating functions
  • Verify filter predicates
  • Review boolean expressions
  • Calculate findings count

Summary

This PR introduces minor SDK improvements with no security issues found. The changes are minimal and well-contained:

Changed Files Analysis

  1. CHANGELOG.md - Documentation update only
  2. __init__.py - Version bump (1.4.2 → 1.4.3)
  3. async_client.py - Added base_url parameter alias (lines 34-56)
  4. client.py - Added base_url parameter alias (lines 62-94)
  5. easy.py - Clarified docstrings for offline encryption (no code changes)
  6. pyproject.toml - Version bump

Security Assessment (12-Point Checklist)

1. Injection vulnerabilities: None. No SQL, command, or path traversal risks.

2. Authentication/authorization: No auth logic modified.

3. Insecure deserialization: No eval, exec, pickle, or dynamic code execution.

4. Hardcoded credentials: No secrets, keys, or credentials added.

5. SSRF/redirect risks: User-controlled URL is expected for client configuration. No automatic redirects.

6. Cryptographic misuse: No crypto operations modified. Docstring clarifications are accurate.

7. Prototype pollution: N/A (Python code only).

8. ReDoS: No regex patterns added or modified.

9. Command injection: No subprocess or shell commands.

10. Logic bugs: Parameter aliasing logic traced with 4 test cases - all correct:

  • server_url only → ✅ Uses server_url
  • base_url only → ✅ Uses base_url
  • Neither provided → ✅ Raises TypeError
  • Both provided → ✅ server_url takes precedence

11. Filter predicates: No filter logic modified.

12. Boolean expressions: The url = server_url or base_url pattern is correct. Traced through all cases without issues.

Key Observations

Backwards Compatibility Addition (async_client.py:41, client.py:74)

  • Added keyword-only base_url parameter as alias for server_url
  • Maintains backward compatibility while supporting alternative naming convention
  • Proper error handling: TypeError when neither parameter provided
  • Precedence logic: server_url takes priority if both provided

Docstring Improvements (easy.py:40-84)

  • Clarified that encrypt() and decrypt() are offline functions
  • Explicitly states "no server required" to prevent confusion with CryptoClient.encrypt()
  • Accurate technical description of behavior

Code Quality Notes

  • Clean implementation with proper error messages
  • No code duplication
  • Consistent pattern across sync/async clients
  • Well-documented changes in CHANGELOG.md

Result

FINDINGS_COUNT=0

No security vulnerabilities identified. This PR is safe to merge.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026

Manual review required. This PR did not meet auto-merge criteria:

  • Security review found issues (findings: unknown)
  • PR author 'thebenignhacker' is not in the trusted auto-merge list
  • Changes to protected path: sdk/python/packages/cryptoserve-core/cryptoserve_core/
  • PR is too new (2 min < 5 min minimum)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker