curo/Pyra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove self-defeating assert_safe_path from vault modules, clarify traversal test scope

Browse Source 
vault/reader.py, vault/writer.py: removed assert_safe_path() calls — that guard is
for protecting the vault FROM external modules, not from within vault code itself.
Vault security comes from BLOCKED_PREFIXES preventing memory/reader from entering vault.

test_path_traversal.py: split into REAL_TRAVERSAL (blocks read+write) vs
READ_ONLY_SAFE patterns (URL-encoded, backslash — harmless on Python/macOS because
Path does not decode percent-encoding; raises FileNotFoundError on read only).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-05-17 12:59:59 +02:00
parent 27b32cb4d1
commit 6e138bcec2
3 changed files with 32 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pyra/vault/reader.py
+1 -4
View File
@@ -1,16 +1,13 @@
import json
from pathlib import Path
from pyra.security.boundaries import assert_safe_path
from pyra.utils.paths import pyra_home, safe_chmod
_KEYS_FILE = pyra_home() / "vault" / "secrets" / "api_keys.json"
def get_key(provider_id: str) -> str | None:
"""Read an API key from the vault. Never exposed to the AI."""
assert_safe_path(_KEYS_FILE) # defense-in-depth
"""Read an API key from the vault. Called only by the chat session, not by the AI."""
if not _KEYS_FILE.exists():
return None
src/pyra/vault/writer.py
-5
View File
@@ -1,7 +1,6 @@
import json
from pathlib import Path
from pyra.security.boundaries import assert_safe_path
from pyra.utils.paths import ensure_dir, pyra_home, safe_chmod
_KEYS_FILE = pyra_home() / "vault" / "secrets" / "api_keys.json"
@@ -9,8 +8,6 @@ _KEYS_FILE = pyra_home() / "vault" / "secrets" / "api_keys.json"
def set_key(provider_id: str, api_key: str) -> None:
"""Store an API key in the vault. Called only by the setup wizard."""
assert_safe_path(_KEYS_FILE) # defense-in-depth
ensure_dir(_KEYS_FILE.parent, 0o700)
# Temporarily make writable to update
@@ -28,8 +25,6 @@ def set_key(provider_id: str, api_key: str) -> None:
def delete_key(provider_id: str) -> bool:
"""Remove an API key from the vault. Returns True if key existed."""
assert_safe_path(_KEYS_FILE)
if not _KEYS_FILE.exists():
return False