curo/kite - kite - Gitea: Git with a cup of tea

curo/kite

Fork 0

Commit Graph

Author	SHA1	Message	Date
curo1305	976d2ca2de	feat(05-02): implement cloud_utils.py — SSRF validation and HKDF credential encryption - validate_cloud_url(): blocks RFC-1918 (10.x, 172.16.x, 192.168.x), loopback (127.x), link-local (169.254.x), IPv6 loopback (::1), ULA (fc00::/7), and 'localhost' string; resolves DNS via socket.getaddrinfo BEFORE IP check (anti-DNS-rebinding per D-17) - _derive_fernet_key(): creates fresh HKDF-SHA256 instance per call (AlreadyFinalized pitfall avoided per RESEARCH.md Pitfall 3); uses user_id as salt for per-user isolation - encrypt_credentials(): Fernet-encrypts JSON-serialised credentials dict; returns str - decrypt_credentials(): decrypts Fernet token back to original dict - [Rule 1 - Bug] Fixed test_allows_public_https to use 8.8.8.8 IP (cloud.example.com does not resolve in offline CI environments)	2026-05-28 20:58:40 +02:00
curo1305	7fdffddfc1	test(05-02): add failing RED tests for cloud_utils, cloud_cache, and factory - 11 SSRF validation tests (validate_cloud_url) covering RFC-1918, loopback, link-local, localhost, IPv6 - 7 HKDF credential encryption/decryption round-trip tests (encrypt_credentials, decrypt_credentials) - 9 TTLCache singleton tests (maxsize=1000, ttl=60, thread-safe lock, get/invalidate helpers) - 2 storage factory import tests (get_storage_backend_for_document importable)	2026-05-28 20:57:25 +02:00

Author

SHA1

Message

Date

curo1305

976d2ca2de

feat(05-02): implement cloud_utils.py — SSRF validation and HKDF credential encryption

- validate_cloud_url(): blocks RFC-1918 (10.x, 172.16.x, 192.168.x), loopback (127.x),
  link-local (169.254.x), IPv6 loopback (::1), ULA (fc00::/7), and 'localhost' string;
  resolves DNS via socket.getaddrinfo BEFORE IP check (anti-DNS-rebinding per D-17)
- _derive_fernet_key(): creates fresh HKDF-SHA256 instance per call (AlreadyFinalized
  pitfall avoided per RESEARCH.md Pitfall 3); uses user_id as salt for per-user isolation
- encrypt_credentials(): Fernet-encrypts JSON-serialised credentials dict; returns str
- decrypt_credentials(): decrypts Fernet token back to original dict
- [Rule 1 - Bug] Fixed test_allows_public_https to use 8.8.8.8 IP (cloud.example.com
  does not resolve in offline CI environments)

2026-05-28 20:58:40 +02:00

curo1305

7fdffddfc1

test(05-02): add failing RED tests for cloud_utils, cloud_cache, and factory

- 11 SSRF validation tests (validate_cloud_url) covering RFC-1918, loopback, link-local, localhost, IPv6
- 7 HKDF credential encryption/decryption round-trip tests (encrypt_credentials, decrypt_credentials)
- 9 TTLCache singleton tests (maxsize=1000, ttl=60, thread-safe lock, get/invalidate helpers)
- 2 storage factory import tests (get_storage_backend_for_document importable)

2026-05-28 20:57:25 +02:00

2 Commits