From b6e8e3f5ffbac8d2530138ffcf413cd52e654490 Mon Sep 17 00:00:00 2001 From: Lukas Date: Sun, 26 Apr 2026 14:08:43 +0200 Subject: [PATCH] Clean up unused imports and remove completed task - Remove TASK-016 from Docs/Tasks.md (completed) - Remove unused imports from protocols.py (Iterable, BanIpCount) - Remove unused imports from raw_config_io_service.py (asyncio, ConfigDirError, ConfigFileExistsError, ConfFileEntry) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Docs/Tasks.md | 29 ------------------- backend/app/repositories/protocols.py | 4 +-- backend/app/services/raw_config_io_service.py | 4 --- 3 files changed, 2 insertions(+), 35 deletions(-) diff --git a/Docs/Tasks.md b/Docs/Tasks.md index 58e0c0b..f8170c9 100644 --- a/Docs/Tasks.md +++ b/Docs/Tasks.md @@ -1,32 +1,3 @@ -## TASK-016 — `delete_log_path` query parameter unvalidated - -**Severity:** Medium - -### Where found -`backend/app/routers/jail_config.py` — `DELETE /api/config/jails/{name}/logpath` — `log_path: str = Query(...)`. - -### Why this is needed -The `log_path` query parameter is passed directly to the fail2ban socket command `["set", name, "dellogpath", log_path]` without any path validation. An attacker could pass traversal strings or paths to sensitive files, instructing fail2ban to stop monitoring them and potentially confusing fail2ban's internal state. - -### Goal -Apply the same allowlist validation as `add_log_path` (TASK-014) to `delete_log_path`. - -### What to do -1. Extract the log path validation logic from TASK-014 into a shared helper function in `backend/app/utils/path_utils.py` (e.g., `validate_log_path(path: str, allowed_dirs: list[str]) -> str`). -2. Call the helper from both `AddLogPathRequest` validator and the `delete_log_path` route handler. -3. Return 422 with a descriptive error if validation fails. - -### Possible traps and issues -- Query parameters cannot have Pydantic field validators directly in FastAPI — use a `Depends` dependency that validates and returns the resolved path, or validate explicitly at the start of the route handler. - -### Docs changes needed -- `Backend-Development.md` — path validation helper usage. - -### Doc references -- [Backend-Development.md](Backend-Development.md) — input validation patterns - ---- - ## TASK-017 — `ip LIKE ?` without escaping `%` and `_` wildcards **Severity:** Medium diff --git a/backend/app/repositories/protocols.py b/backend/app/repositories/protocols.py index ab031c8..d8d23ea 100644 --- a/backend/app/repositories/protocols.py +++ b/backend/app/repositories/protocols.py @@ -6,14 +6,14 @@ module implementations, making the backend easier to test and extend. from __future__ import annotations -from collections.abc import Iterable, Sequence +from collections.abc import Sequence from typing import Any, Protocol import aiosqlite from app.models.auth import Session from app.models.ban import BanOrigin -from app.repositories.fail2ban_db_repo import BanIpCount, BanRecord, HistoryRecord, JailBanCount +from app.repositories.fail2ban_db_repo import BanRecord, HistoryRecord, JailBanCount from app.repositories.geo_cache_repo import GeoCacheRow from app.repositories.import_log_repo import ImportLogRow diff --git a/backend/app/services/raw_config_io_service.py b/backend/app/services/raw_config_io_service.py index 154ea69..52574b0 100644 --- a/backend/app/services/raw_config_io_service.py +++ b/backend/app/services/raw_config_io_service.py @@ -15,11 +15,8 @@ traversal attacks. from __future__ import annotations -import asyncio from app.utils.async_utils import run_blocking from app.exceptions import ( - ConfigDirError, - ConfigFileExistsError, ConfigFileNameError, ConfigFileNotFoundError, ConfigFileWriteError, @@ -34,7 +31,6 @@ import structlog from app.models.file_config import ( ConfFileContent, ConfFileCreateRequest, - ConfFileEntry, ConfFilesResponse, ConfFileUpdateRequest, JailConfigFile,