feat(006): implement security recommendations from SECURITY.md

[amargiovanni]

Implements Feature 006 with 7 user stories (US1-US7) and 13 functional requirements:

Security Features:

• Path traversal prevention with symlink handling (FR-001, FR-002)
• CSV formula injection protection (single-quote escaping) (FR-004, FR-005)
• File permission checks on sensitive files (FR-007, FR-008)
• Content-Type header validation on API responses (FR-006)
• Token masking in logs with [MASKED] pattern (FR-010)
• Timeout threshold warnings (FR-011)
• Verbose mode with API audit logging (FR-009)

Code Changes:

• New: src/github_analyzer/core/security.py (8 utility functions)
• New: tests/unit/core/test_security.py (77 tests, 100% coverage)
• Updated: All exporters with path validation and CSV escaping
• Updated: API client with Content-Type and verbose logging
• Updated: CLI with --verbose flag and permission checks
• Updated: requirements.txt with exact pin (requests==2.31.0)
• Updated: requirements-dev.txt with bounded ranges

Test Results: 887 passed, 7 skipped

[gemini-code-assist]

Summary of Changes

Hello @amargiovanni, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the GitHub Analyzer application by implementing a suite of recommendations derived from a recent security audit. The changes focus on preventing common vulnerabilities such as path traversal and CSV injection, improving supply chain security through dependency management, and providing better visibility into application behavior via audit logging and security warnings. These updates aim to make the tool more resilient and trustworthy for users handling sensitive data.

Highlights

• Path Traversal Prevention: Implemented robust path traversal prevention (FR-001, FR-002, FR-013) using pathlib.Path.resolve() and is_relative_to() to ensure all output paths remain within a safe boundary, resolving symlinks before validation.
• CSV Formula Injection Protection: Added protection against CSV formula injection (FR-004, FR-005) by prefixing cell values starting with =, +, -, @, TAB, or CR with a single quote, ensuring data integrity.
• Dependency Version Pinning: Ensured supply chain security (FR-003) by pinning all runtime dependencies to exact versions in requirements.txt and using bounded ranges for development dependencies in requirements-dev.txt.
• File Permission Checks: Introduced checks for overly permissive file permissions (FR-007, FR-008) on sensitive input files like repos.txt and set restrictive permissions (0o600) on newly created output files (Unix-like systems only).
• API Response Content-Type Validation: Added validation for API response Content-Type headers (FR-006), logging a security warning if the expected type (e.g., application/json) is not found or the header is missing.
• Verbose API Audit Logging: Implemented an optional verbose mode (FR-009) via a --verbose CLI flag or environment variable, which logs API requests (method, endpoint, status) with all token values masked (FR-010) for enhanced debugging and security auditing.
• Timeout Threshold Warnings: Added a warning mechanism (FR-011) to alert users when configured timeouts exceed a recommended threshold (default 60 seconds), configurable via an environment variable, to highlight potential security implications of long-lived connections.
• New Security Utilities Module: A new module src/github_analyzer/core/security.py was created, centralizing 8 utility functions and related constants for all new security features, along with comprehensive unit tests in tests/unit/core/test_security.py.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 98.58156% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/github_analyzer/cli/main.py	81.81%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[amargiovanni]

/gemini review

[gemini-code-assist]

Code Review

This is an excellent pull request that systematically implements the security recommendations from the SECURITY.md audit. The introduction of a dedicated core/security.py module is a great architectural choice, centralizing security logic. The changes are comprehensive, covering path traversal, CSV formula injection, dependency pinning, and more. The accompanying tests are thorough and cover numerous edge cases, ensuring the new security features are robust. I have one suggestion to simplify the path validation logic to make it more idiomatic for Python 3.9+.

[gemini-code-assist]

This implementation for path resolution and validation is correct, but it can be simplified and made more idiomatic for Python 3.9+, which this project targets.

1. The if/else block for handling absolute and relative paths is redundant. The pathlib / operator correctly handles joining a base path with either a relative or an absolute path.
2. Since the project uses Python 3.9+, you can use the Path.is_relative_to() method, which is more direct and readable than using a try...except ValueError block with Path.relative_to().

This suggestion combines these two improvements for a more concise and maintainable function.

Suggested change

	# Resolve both paths to handle symlinks (FR-013)
	resolved_base = base_dir.resolve()
	# Convert path to Path object
	path_obj = Path(path)
	# For relative paths, resolve against the base directory
	if not path_obj.is_absolute():
	resolved_path = (resolved_base / path_obj).resolve()
	else:
	resolved_path = path_obj.resolve()
	# Check if path is within safe boundary
	try:
	resolved_path.relative_to(resolved_base)
	except ValueError as err:
	raise ValidationError(f"Output path must be within {resolved_base}") from err
	# Resolve the base directory to an absolute path to handle symlinks.
	resolved_base = base_dir.resolve()
	# Resolve the input path. If it's relative, it's resolved relative to the
	# base directory. If it's absolute, it's used as is. Then resolve symlinks.
	resolved_path = (resolved_base / path).resolve()
	# Check if the resolved path is within the safe boundary.
	# Using `is_relative_to` is more idiomatic for Python 3.9+.
	if not resolved_path.is_relative_to(resolved_base):
	raise ValidationError(f"Output path must be within {resolved_base}")

[gemini-code-assist]

Code Review

This pull request is a significant step forward in hardening the application's security posture, implementing a wide range of recommendations from the SECURITY.md audit. The introduction of a dedicated core/security.py module is a great architectural choice, centralizing security logic for path validation, CSV formula escaping, and more. The changes are comprehensive, well-tested, and demonstrate a strong commitment to security best practices. My feedback focuses on minor refactoring opportunities to improve code conciseness and maintainability in a few areas, but overall, this is excellent work.

[gemini-code-assist]

The logic to resolve the path can be simplified. pathlib's / operator correctly handles joining an absolute path, which discards the base path. This means the if/else block can be replaced with a single line, making the code more concise and easier to read.

    # The `pathlib.Path.joinpath()` method (the `/` operator) correctly handles
    # joining an absolute path, which will discard the base. We can then
    # resolve symlinks and '..' components in the combined path.
    resolved_path = (resolved_base / path_obj).resolve()

[gemini-code-assist]

The formula escaping logic is repeated for each field. This can be simplified by first creating the dictionary for the row with original values, and then passing the entire dictionary to escape_csv_row. This would make the code cleaner, reduce repetition, and be easier to maintain. This same pattern can be applied to export_comments and export_issues_with_metrics as well.

Suggested change

	writer.writerow({
	"key": issue.key,
	"summary": issue.summary,
	"description": issue.description,
	"status": issue.status,
	"issue_type": issue.issue_type,
	"priority": issue.priority or "",
	"assignee": issue.assignee or "",
	"reporter": issue.reporter,
	"key": escape_csv_formula(issue.key),
	"summary": escape_csv_formula(issue.summary),
	"description": escape_csv_formula(issue.description),
	"status": escape_csv_formula(issue.status),
	"issue_type": escape_csv_formula(issue.issue_type),
	"priority": escape_csv_formula(issue.priority or ""),
	"assignee": escape_csv_formula(issue.assignee or ""),
	"reporter": escape_csv_formula(issue.reporter),
	"created": issue.created.isoformat() if issue.created else "",
	"updated": issue.updated.isoformat() if issue.updated else "",
	"resolution_date": issue.resolution_date.isoformat() if issue.resolution_date else "",
	"project_key": issue.project_key,
	"project_key": escape_csv_formula(issue.project_key),
	})
	writer.writerow(escape_csv_row({
	"key": issue.key,
	"summary": issue.summary,
	"description": issue.description,
	"status": issue.status,
	"issue_type": issue.issue_type,
	"priority": issue.priority or "",
	"assignee": issue.assignee or "",
	"reporter": issue.reporter,
	"created": issue.created.isoformat() if issue.created else "",
	"updated": issue.updated.isoformat() if issue.updated else "",
	"resolution_date": issue.resolution_date.isoformat() if issue.resolution_date else "",
	"project_key": issue.project_key,
	}))