Skip to content

feat(006): implement security recommendations from SECURITY.md #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amargiovanni merged 3 commits into from
Nov 29, 2025
Merged

feat(006): implement security recommendations from SECURITY.md #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41b9d51
feat(006): implement security recommendations from SECURITY.md
amargiovanni Nov 29, 2025
0926f0b
refactor(006): simplify validate_output_path using Python 3.9+ idioms
amargiovanni Nov 29, 2025
2844a08
docs(006): expand security section in README and create comprehensive…
amargiovanni Nov 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Auto-generated from all feature plans. Last updated: 2025-11-28
- N/A (repos.txt file is input, not storage) (004-github-repo-selection)
- Python 3.9+ (per constitution, leveraging type hints) + Standard library (urllib, json); optional: requests (already in codebase) (005-smart-repo-filter)
- N/A (in-memory filtering during selection) (005-smart-repo-filter)
- Python 3.9+ (per constitution, leveraging type hints) + Standard library (pathlib, csv, os, stat, logging); optional: requests (006-security-recommendations)
- CSV files for export (existing pattern) (006-security-recommendations)

- Python 3.9+ (as per constitution, leveraging type hints) + Standard library only (urllib, json, csv, os, re); optional: requests (001-modular-refactor)

Expand Down Expand Up @@ -41,9 +43,9 @@ python github_analyzer.py --days 7
Python 3.9+ (as per constitution, leveraging type hints): Follow standard conventions

## Recent Changes
- 006-security-recommendations: Added Python 3.9+ (per constitution, leveraging type hints) + Standard library (pathlib, csv, os, stat, logging); optional: requests
- 005-smart-repo-filter: Added Python 3.9+ (per constitution, leveraging type hints) + Standard library (urllib, json); optional: requests (already in codebase)
- 004-github-repo-selection: Added Python 3.9+ (as per constitution, leveraging type hints) + Standard library only (urllib, json); optional: requests (existing pattern)
- 003-jira-quality-metrics: Added Python 3.9+ (per constitution, leveraging type hints) + Standard library only (urllib, json, csv, os, re, datetime, statistics); optional: requests (already used in jira_client.py)


<!-- MANUAL ADDITIONS START -->
Expand Down
38 changes: 35 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -516,9 +516,41 @@ export JIRA_API_TOKEN="your-api-token"

## Security

- **Token Security**: The GitHub token is loaded from the `GITHUB_TOKEN` environment variable and is never stored, logged, or exposed in error messages
- **Input Validation**: Repository names are validated against injection attacks (shell metacharacters, path traversal)
- **No External Dependencies**: Core functionality works with Python standard library only
This project implements defense-in-depth security measures. See [SECURITY.md](SECURITY.md) for the full security analysis.

### Credential Management
- **Environment Variables Only**: All credentials (`GITHUB_TOKEN`, `JIRA_API_TOKEN`) loaded exclusively from environment variables
- **Token Masking**: Tokens are replaced with `[MASKED]` in all logs, errors, and representations
- **Token Format Validation**: GitHub tokens validated against known patterns (`ghp_`, `github_pat_`, `gho_`, `ghs_`)
- **No Persistence**: Credentials never written to disk or configuration files

### Input Validation
- **Whitelist Patterns**: Repository names and Jira project keys validated with strict regex patterns
- **Dangerous Character Rejection**: Shell metacharacters (`;|&$\`(){}[]<>`) explicitly blocked
- **Path Traversal Prevention**: `..` sequences rejected in all user inputs
- **URL Validation**: GitHub URLs normalized, Jira URLs require HTTPS
- **Length Limits**: Maximum 100 characters per component to prevent buffer attacks

### Network Security
- **HTTPS Enforced**: All API calls use HTTPS (HTTP rejected for Jira)
- **Timeout Protection**: Configurable timeouts (default 30s) prevent indefinite hangs
- **Rate Limit Handling**: Graceful handling with exponential backoff
- **Retry Logic**: Automatic retry for transient 5xx errors

### Output Security
- **CSV Formula Injection Protection**: Values starting with `=`, `+`, `-`, `@`, `TAB`, `CR` prefixed with single quote
- **Path Validation**: Output paths validated to stay within safe boundaries
- **Secure File Permissions**: Output files created with restricted permissions (owner read/write only)
- **Symlink Resolution**: All paths resolved to prevent symlink attacks

### Error Handling
- **No Secret Leakage**: Error messages never contain tokens or credentials
- **Response Truncation**: API error details truncated to 200 characters
- **Structured Exceptions**: Typed exceptions without exposing internals

### Minimal Dependencies
- **Zero Required Dependencies**: Core functionality uses Python standard library only
- **Optional `requests`**: Falls back gracefully to `urllib` if not installed

## Contributing

Expand Down
Loading