[Security audit] Harden meta release tooling URL fetches and dynamic imports #6

Closed
opened 2026-07-13 20:09:54 +02:00 by zemion · 1 comment
Owner

The full audit still flags meta release tooling for dynamic URL usage and dynamic imports.

Source report: /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949

Observed locations:

  • tools/release/govoplan_release/catalog.py
  • tools/release/release-doctor.py
  • tools/release/govoplan_release/__init__.py
  • tools/gitea/gitea_common.py

Acceptance criteria:

  • Use a shared validated HTTP(S)-only fetch helper for release/meta tooling.
  • Reject file://, embedded credentials, empty hosts, and unsupported schemes before network access.
  • Keep the dynamic import path allowlisted and documented.
  • Add narrow scanner suppressions only where the guard is immediately visible.
<!-- codex-security-audit-fingerprint:security-audit-20260713-meta-url-fetch-imports --> The full audit still flags meta release tooling for dynamic URL usage and dynamic imports. Source report: `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949` Observed locations: - `tools/release/govoplan_release/catalog.py` - `tools/release/release-doctor.py` - `tools/release/govoplan_release/__init__.py` - `tools/gitea/gitea_common.py` Acceptance criteria: - Use a shared validated HTTP(S)-only fetch helper for release/meta tooling. - Reject `file://`, embedded credentials, empty hosts, and unsupported schemes before network access. - Keep the dynamic import path allowlisted and documented. - Add narrow scanner suppressions only where the guard is immediately visible.
Author
Owner

Codex State: done

Summary

  • Added validated HTTP(S) helper for release tooling and moved release catalog/release-doctor URL checks onto it.
  • Replaced release package dynamic import dispatch with explicit lazy imports.
  • Added narrow HTTPSConnection suppression for the Gitea keep-alive API client.

Changed Files

  • tools/release/govoplan_release/http_fetch.py
  • tools/release/govoplan_release/catalog.py
  • tools/release/govoplan_release/__init__.py
  • tools/release/release-doctor.py
  • tools/gitea/gitea_common.py

Verification

  • /mnt/DATA/git/govoplan/.venv/bin/python -m py_compile tools/release/govoplan_release/http_fetch.py tools/release/govoplan_release/catalog.py tools/release/govoplan_release/__init__.py tools/release/release-doctor.py tools/gitea/gitea_common.py
  • git diff --check -- tools/release/govoplan_release/http_fetch.py tools/release/govoplan_release/catalog.py tools/release/govoplan_release/__init__.py tools/release/release-doctor.py tools/gitea/gitea_common.py
  • release helper smoke ok
## Codex State: done ### Summary - Added validated HTTP(S) helper for release tooling and moved release catalog/release-doctor URL checks onto it. - Replaced release package dynamic import dispatch with explicit lazy imports. - Added narrow HTTPSConnection suppression for the Gitea keep-alive API client. ### Changed Files - `tools/release/govoplan_release/http_fetch.py` - `tools/release/govoplan_release/catalog.py` - `tools/release/govoplan_release/__init__.py` - `tools/release/release-doctor.py` - `tools/gitea/gitea_common.py` ### Verification - `/mnt/DATA/git/govoplan/.venv/bin/python -m py_compile tools/release/govoplan_release/http_fetch.py tools/release/govoplan_release/catalog.py tools/release/govoplan_release/__init__.py tools/release/release-doctor.py tools/gitea/gitea_common.py` - `git diff --check -- tools/release/govoplan_release/http_fetch.py tools/release/govoplan_release/catalog.py tools/release/govoplan_release/__init__.py tools/release/release-doctor.py tools/gitea/gitea_common.py` - `release helper smoke ok`
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan#6
No description provided.