fix: address all PR #504 review findings - security, performance, and robustness improvements

This commit addresses all 14 issues identified in PR #504 review, including
must-fix, strongly recommended, and nice-to-have items.

### Security Enhancements (Issues 3.1, 3.2, 3.3, 3.4)

Author: BinoyOza-okta

okta/config/config_setter.py

@@ -8,13 +8,14 @@
 # See the License for the specific language governing permissions and limitations under the License.
 # coding: utf-8
 
+import copy
 import logging
 import os
 
 import yaml
 
 from okta.constants import _GLOBAL_YAML_PATH, _LOCAL_YAML_PATH
-from okta.utils import flatten_dict, unflatten_dict, remove_empty_values
+from okta.utils import flatten_dict, unflatten_dict, remove_empty_values, deep_merge
 
 
 class ConfigSetter:
@@ -46,22 +47,26 @@ class ConfigSetter:
 
     def __init__(self):
         """
-        Consructor for Configuration Setter class. Sets default config
+        Constructor for Configuration Setter class. Sets default config
         and checks for configuration settings to update config.
         """
-        # Create configuration using default config
-        self._config = ConfigSetter._DEFAULT_CONFIG
+        # Create configuration using deep copy of default config
+        # This prevents shared mutable state across instances
+        self._config = copy.deepcopy(ConfigSetter._DEFAULT_CONFIG)
         # Update configuration
         self._update_config()
 
     def get_config(self):
         """
-        Return Okta client configuration
+        Return Okta client configuration.
+
+        Returns a deep copy to prevent external modification of internal state
+        and to avoid holding references to sensitive values.
 
         Returns:
-            dict -- Dictionary containing the client configuration
+            dict -- Deep copy of the client configuration dictionary
         """
-        return self._config
+        return copy.deepcopy(self._config)
 
     def _prune_config(self, config):
         """
@@ -113,32 +118,39 @@ def _apply_config(self, new_config: dict):
            overwriting values and adding new entries (if present).
 
         Arguments:
-            config {dict} -- A dictionary of client configuration details
+            new_config {dict} -- A dictionary of client configuration details
         """
-        # Update current configuration with new configuration
-        # Flatten both dictionaries to account for nested dictionary values
-        flat_current_client = flatten_dict(self._config["client"], delimiter="::")
-        flat_current_testing = flatten_dict(self._config["testing"], delimiter="::")
-
-        flat_new_client = flatten_dict(new_config.get("client", {}), delimiter="::")
-        flat_new_testing = flatten_dict(new_config.get("testing", {}), delimiter="::")
-
-        # Update with new values
-        flat_current_client.update(flat_new_client)
-        flat_current_testing.update(flat_new_testing)
-
-        # Update values in current config and unflatten
-        self._config = {
-            "client": unflatten_dict(flat_current_client, delimiter="::"),
-            "testing": unflatten_dict(flat_current_testing, delimiter="::"),
-        }
+        # Update current configuration with new configuration using deep merge
+        # Use 'or {}' to handle None values from YAML (e.g., "client: null")
+        if "client" in new_config:
+            self._config["client"] = deep_merge(
+                self._config["client"],
+                new_config.get("client") or {}
+            )
+        if "testing" in new_config:
+            self._config["testing"] = deep_merge(
+                self._config["testing"],
+                new_config.get("testing") or {}
+            )
 
     def _apply_yaml_config(self, path: str):
         """This method applies a YAML configuration to the Okta Client Config
 
         Arguments:
             path {string} -- The filepath of the corresponding YAML file
+
+        Raises:
+            ValueError: If config file exceeds maximum allowed size
         """
+        # Check file size before loading (prevent memory exhaustion)
+        MAX_CONFIG_SIZE = 1_048_576  # 1 MB - generous for config files
+        file_size = os.path.getsize(path)
+        if file_size > MAX_CONFIG_SIZE:
+            raise ValueError(
+                f"Config file {path} ({file_size} bytes) exceeds maximum "
+                f"allowed size of {MAX_CONFIG_SIZE} bytes"
+            )
+
         # Start with empty config
         config = {}
         with open(path, "r") as file:

okta/config/config_validator.py

@@ -49,7 +49,10 @@ def validate_config(self):
             ValueError: A configuration provided needs to be corrected.
         """
         errors = []
-        client = self._config.get("client")
+        # Defensive: default to empty dict if sections are missing
+        client = self._config.get("client", {})
+        _ = self._config.get("testing", {})
+
         # check org url
         errors += self._validate_org_url(client.get("orgUrl", ""))
         # check proxy settings if provided
@@ -143,8 +146,10 @@ def _validate_org_url(self, url: str):
         if not url:
             url_errors.append(ERROR_MESSAGE_ORG_URL_MISSING)
         # if url is not https (in non-testing env)
+        # Defensive: get testing section with default
+        testing = self._config.get("testing", {})
         if url and not (
-            self._config["testing"]["testingDisableHttpsCheck"]
+            testing.get("testingDisableHttpsCheck", False)
             or url.startswith("https")
         ):
             url_errors.append(

okta/utils.py

@@ -14,7 +14,7 @@
 
 from datetime import datetime as dt
 from enum import Enum
-from typing import Any, Dict
+from typing import Any
 from urllib.parse import urlsplit, urlunsplit
 
 from okta.constants import DATETIME_FORMAT, EPOCH_DAY, EPOCH_MONTH, EPOCH_YEAR
@@ -85,18 +85,30 @@ def convert_absolute_url_into_relative_url(absolute_url):
 # These replace the external flatdict dependency
 
 
-def flatten_dict(d: Dict[str, Any], parent_key: str = '', delimiter: str = '::') -> Dict[str, Any]:
+def flatten_dict(
+    d: dict[str, Any],
+    parent_key: str = '',
+    delimiter: str = '::',
+    _depth: int = 0,
+    max_depth: int = 100
+) -> dict[str, Any]:
     """
     Flatten a nested dictionary into a single-level dictionary.
 
     Args:
         d: The dictionary to flatten
         parent_key: The base key to prepend to all keys (used in recursion)
         delimiter: The delimiter to use when joining keys (default '::' to avoid collision with snake_case)
+        _depth: Internal recursion depth counter (do not set manually)
+        max_depth: Maximum allowed nesting depth (default 100)
 
     Returns:
         A flattened dictionary with delimited keys
 
+    Raises:
+        TypeError: If d is not a dictionary
+        ValueError: If nesting depth exceeds max_depth
+
     Examples:
         >>> flatten_dict({'a': {'b': 1, 'c': 2}})
         {'a::b': 1, 'a::c': 2}
@@ -107,17 +119,26 @@ def flatten_dict(d: Dict[str, Any], parent_key: str = '', delimiter: str = '::')
         >>> flatten_dict({'user_name': {'first_name': 'John'}})
         {'user_name::first_name': 'John'}
     """
-    items = []
+    if not isinstance(d, dict):
+        raise TypeError(f"flatten_dict expects dict, got {type(d).__name__}")
+
+    if _depth > max_depth:
+        raise ValueError(
+            f"Dictionary nesting depth exceeds maximum allowed depth of {max_depth}. "
+            f"This may indicate a circular reference or malformed configuration."
+        )
+
+    result = {}
     for key, value in d.items():
         new_key = f"{parent_key}{delimiter}{key}" if parent_key else key
         if isinstance(value, dict):
-            items.extend(flatten_dict(value, new_key, delimiter).items())
+            result.update(flatten_dict(value, new_key, delimiter, _depth + 1, max_depth))
         else:
-            items.append((new_key, value))
-    return dict(items)
+            result[new_key] = value
+    return result
 
 
-def unflatten_dict(d: Dict[str, Any], delimiter: str = '::') -> Dict[str, Any]:
+def unflatten_dict(d: dict[str, Any], delimiter: str = '::') -> dict[str, Any]:
     """
     Unflatten a dictionary with delimited keys into a nested structure.
 
@@ -128,62 +149,119 @@ def unflatten_dict(d: Dict[str, Any], delimiter: str = '::') -> Dict[str, Any]:
     Returns:
         A nested dictionary
 
+    Raises:
+        TypeError: If d is not a dictionary
+        ValueError: If there are conflicting keys (key is both a leaf value and a nested dict)
+
     Examples:
-        >>> unflatten_dict({'a_b': 1, 'a_c': 2})
+        >>> unflatten_dict({'a::b': 1, 'a::c': 2})
         {'a': {'b': 1, 'c': 2}}
 
-        >>> unflatten_dict({'x_y_z': 3})
+        >>> unflatten_dict({'x::y::z': 3})
         {'x': {'y': {'z': 3}}}
+
+        >>> unflatten_dict({'a_b': 1, 'a_c': 2}, delimiter='_')
+        {'a': {'b': 1, 'c': 2}}
     """
-    result: Dict[str, Any] = {}
+    if not isinstance(d, dict):
+        raise TypeError(f"unflatten_dict expects dict, got {type(d).__name__}")
+
+    result: dict[str, Any] = {}
     for key, value in d.items():
         parts = key.split(delimiter)
         current = result
-        for part in parts[:-1]:
+        for i, part in enumerate(parts[:-1]):
             if part not in current:
                 current[part] = {}
+            elif not isinstance(current[part], dict):
+                # Conflict: trying to traverse into a leaf value
+                conflicting_key = delimiter.join(parts[:i + 1])
+                raise ValueError(
+                    f"Key conflict in unflatten_dict: '{conflicting_key}' is both "
+                    f"a leaf value and a nested dictionary"
+                )
             current = current[part]
+
+        # Check final key conflict
+        if parts[-1] in current and isinstance(current[parts[-1]], dict):
+            raise ValueError(
+                f"Key conflict in unflatten_dict: '{key}' would overwrite "
+                f"existing nested dictionary"
+            )
+
         current[parts[-1]] = value
     return result
 
 
-def deep_merge(base: Dict[str, Any], updates: Dict[str, Any]) -> Dict[str, Any]:
+def deep_merge(
+    base: dict[str, Any],
+    updates: dict[str, Any],
+    _depth: int = 0,
+    max_depth: int = 100
+) -> dict[str, Any]:
     """
     Deep merge two dictionaries, with updates overriding base values.
 
     Args:
         base: The base dictionary
         updates: Dictionary with values to merge/override
+        _depth: Internal recursion depth counter (do not set manually)
+        max_depth: Maximum allowed nesting depth (default 100)
 
     Returns:
         A new dictionary with merged values
 
+    Raises:
+        TypeError: If base or updates is not a dictionary
+        ValueError: If nesting depth exceeds max_depth
+
     Examples:
         >>> deep_merge({'a': 1, 'b': 2}, {'b': 3, 'c': 4})
         {'a': 1, 'b': 3, 'c': 4}
 
         >>> deep_merge({'a': {'b': 1}}, {'a': {'c': 2}})
         {'a': {'b': 1, 'c': 2}}
     """
+    if not isinstance(base, dict):
+        raise TypeError(f"deep_merge base expects dict, got {type(base).__name__}")
+    if not isinstance(updates, dict):
+        raise TypeError(f"deep_merge updates expects dict, got {type(updates).__name__}")
+
+    if _depth > max_depth:
+        raise ValueError(
+            f"Dictionary nesting depth exceeds maximum allowed depth of {max_depth}. "
+            f"This may indicate a circular reference or malformed configuration."
+        )
+
     result = base.copy()
     for key, value in updates.items():
         if key in result and isinstance(result[key], dict) and isinstance(value, dict):
-            result[key] = deep_merge(result[key], value)
+            result[key] = deep_merge(result[key], value, _depth + 1, max_depth)
         else:
             result[key] = value
     return result
 
 
-def remove_empty_values(d: Dict[str, Any]) -> Dict[str, Any]:
+def remove_empty_values(
+    d: dict[str, Any],
+    _depth: int = 0,
+    max_depth: int = 100
+) -> dict[str, Any]:
     """
     Recursively remove empty string values from a nested dictionary.
 
     Args:
         d: The dictionary to clean
+        _depth: Internal recursion depth counter (do not set manually)
+        max_depth: Maximum allowed nesting depth (default 100)
 
     Returns:
         A new dictionary with empty strings removed
 
+    Raises:
+        TypeError: If d is not a dictionary
+        ValueError: If nesting depth exceeds max_depth
+
     Examples:
         >>> remove_empty_values({'a': '', 'b': 'value'})
         {'b': 'value'}
@@ -194,10 +272,19 @@ def remove_empty_values(d: Dict[str, Any]) -> Dict[str, Any]:
     Note:
         Only removes empty strings (""), not other falsy values like None, 0, False, []
     """
+    if not isinstance(d, dict):
+        raise TypeError(f"remove_empty_values expects dict, got {type(d).__name__}")
+
+    if _depth > max_depth:
+        raise ValueError(
+            f"Dictionary nesting depth exceeds maximum allowed depth of {max_depth}. "
+            f"This may indicate a circular reference or malformed configuration."
+        )
+
     result = {}
     for key, value in d.items():
         if isinstance(value, dict):
-            nested = remove_empty_values(value)
+            nested = remove_empty_values(value, _depth + 1, max_depth)
             if nested:  # Only add if nested dict is not empty after cleaning
                 result[key] = nested
         elif value != "":

tests/test_config_setter.py

@@ -13,8 +13,6 @@
 """
 
 import os
-import pytest
-import tempfile
 import yaml
 
 from okta.config.config_setter import ConfigSetter
@@ -61,7 +59,7 @@ def test_apply_config_merges_nested_dicts(self):
         config_setter = ConfigSetter()
 
         # Get initial config
-        initial_token = config_setter._config["client"].get("token", "")
+        _ = config_setter._config["client"].get("token", "")
 
         # Apply new config
         new_config = {