[Security] Review dynamic module import trust boundary #242

Closed
opened 2026-07-11 12:51:10 +02:00 by zemion · 1 comment
Owner

Semgrep flags dynamic imports used by the module system. This is expected architecture, but the trust boundary should be explicit.

Classification: architecture review / accepted-risk candidate.

Report evidence:

  • govoplan-core/src/govoplan_core/server/config.py:55.
  • govoplan-core/src/govoplan_core/server/registry.py:78.
  • Rule: non-literal-import.

Suggested next steps:

  • Document that enabled module identifiers are trusted deployment configuration, not user input.
  • Validate module ids before import and reject unexpected characters/namespaces.
  • Add narrow scanner annotations once validation is explicit.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-dynamic-import-boundary --> Semgrep flags dynamic imports used by the module system. This is expected architecture, but the trust boundary should be explicit. Classification: **architecture review / accepted-risk candidate**. Report evidence: - `govoplan-core/src/govoplan_core/server/config.py:55`. - `govoplan-core/src/govoplan_core/server/registry.py:78`. - Rule: `non-literal-import`. Suggested next steps: - Document that enabled module identifiers are trusted deployment configuration, not user input. - Validate module ids before import and reject unexpected characters/namespaces. - Add narrow scanner annotations once validation is explicit. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
debt
priority
p2
status
ready
module/core
codex/ready
labels 2026-07-11 12:51:10 +02:00
zemion added the
area/security
audit/structural
source/security-audit
labels 2026-07-11 16:05:37 +02:00
Author
Owner

Implemented locally. import_object now validates module:attribute paths, rejects private/invalid attribute paths, and only imports modules from trusted prefixes (govoplan_core, govoplan_, app, or GOVOPLAN_TRUSTED_IMPORT_PREFIXES). Built-in manifest loading now validates fixed object paths before importing.

Validation run:

  • PYTHONPATH=/mnt/DATA/git/govoplan-core/src python3 -m unittest tests.test_import_trust
  • python3 -m py_compile src/govoplan_core/server/config.py src/govoplan_core/server/registry.py
  • git diff --check -- src/govoplan_core/server/config.py src/govoplan_core/server/registry.py tests/test_import_trust.py

Closing pending the next push.

Implemented locally. `import_object` now validates `module:attribute` paths, rejects private/invalid attribute paths, and only imports modules from trusted prefixes (`govoplan_core`, `govoplan_`, `app`, or `GOVOPLAN_TRUSTED_IMPORT_PREFIXES`). Built-in manifest loading now validates fixed object paths before importing. Validation run: - `PYTHONPATH=/mnt/DATA/git/govoplan-core/src python3 -m unittest tests.test_import_trust` - `python3 -m py_compile src/govoplan_core/server/config.py src/govoplan_core/server/registry.py` - `git diff --check -- src/govoplan_core/server/config.py src/govoplan_core/server/registry.py tests/test_import_trust.py` Closing pending the next push.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#242
No description provided.