Security fixes and exception handling improvements for parser.py#1279
Merged
thomas-mangin merged 2 commits intomainfrom Nov 8, 2025
Merged
Conversation
This PR combines the TOCTOU security fix with exception handling
improvements for parser.py.
=== SECURITY FIX ===
TOCTOU Race Condition (CVSS 6.5):
Problem:
- Configuration parser validates programs before execution
- Uses os.stat() on path, then later executes the file
- Race condition: file could be swapped between check and use
- Symlink attacks possible with malicious timing
Fix:
- Open file with os.open() and O_NOFOLLOW flag
- Use os.fstat() on file descriptor (atomic, no race condition)
- All validation done on the open file descriptor
- Add checks for setgid in addition to setuid
- Ensure file is a regular file (not device, socket, etc.)
- Comprehensive documentation of security considerations
Security Impact:
- Eliminates TOCTOU window for file swapping
- Prevents symlink-based privilege escalation
- More thorough validation of executable properties
=== EXCEPTION HANDLING IMPROVEMENTS ===
Exception Handling Strategy:
- Configuration errors → RAISE with chaining (fail fast, preserve context)
Parser.py improvements:
- Add exception chaining with `from e` to preserve OSError details
- Provides clear ValueError messages while maintaining stack traces
- Helps debugging by showing original system error
Example:
Before: ValueError('can not access program "foo": [Errno 13]')
After: ValueError('can not access program "foo": [Errno 13]') from OSError
These exception handling improvements enhance error reporting and
debugging without changing functionality.
=== RELATIONSHIP TO OTHER PRs ===
This PR supersedes:
- claude/fix-toctou-race-condition-011CUq5Wq9rGNXsAYNFqTC95
Use this PR if you want combined security + error handling improvements
for parser.py. Or use the separate PR if you want to merge security
fix and error handling independently.
Other independent PRs:
- Healthcheck shell injection fix (healthcheck.py)
- Flow.py command injection fix (flow.py)
- Rate limiting/DoS protection (connection.py, ratelimit.py)
- Security regression tests (tests/security_test.py)
=== TESTING ===
Security:
- TOCTOU fix validated with security_test.py
- File descriptor-based validation prevents race conditions
- O_NOFOLLOW prevents symlink attacks
Error Handling:
- Error messages are more detailed and actionable
- Stack traces preserved for debugging via exception chaining
Backward Compatibility:
- All changes maintain backward compatibility
- Existing configurations work unchanged
- Only error messages improved, not functionality
Two fixes to make the code work correctly: 1. Remove O_NOFOLLOW flag to allow symlinks: Problem: Many legitimate executables are symlinks (e.g., /usr/local/bin/python3 -> /usr/bin/python3.11). Using O_NOFOLLOW caused os.open() to fail on symlinks, breaking configuration parsing. Solution: Remove O_NOFOLLOW and allow following symlinks. The TOCTOU protection comes from using fstat() on the file descriptor, not from blocking symlinks. The file descriptor points to the final target, which is what we validate. Security: TOCTOU race condition is still prevented because we validate the file descriptor (final target) instead of the path. Symlinks are resolved atomically by the kernel during open(). 2. Fix operator precedence in executable check: Problem: Line "if not check & s.st_mode:" has incorrect precedence. Python evaluates this as "(not check) & s.st_mode" due to operator precedence, which always evaluates to False, never catching non- executable files. Solution: Add parentheses: "if not (check & s.st_mode):" to ensure correct evaluation order. This properly checks if the file has any of the required executable bits set. Testing: - All functional parsing tests now pass (./qa/bin/functional parsing) - Symlinked executables work correctly - Executable permission checks work as intended Fixes: CI failure in ./qa/bin/functional parsing
thomas-mangin
deleted the
claude/combined-security-and-error-handling-011CUq5Wq9rGNXsAYNFqTC95
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR combines the TOCTOU security fix with exception handling improvements for parser.py.
=== SECURITY FIX ===
TOCTOU Race Condition (CVSS 6.5):
Problem:
Fix:
Security Impact:
=== EXCEPTION HANDLING IMPROVEMENTS ===
Exception Handling Strategy:
Parser.py improvements:
from eto preserve OSError detailsExample:
Before: ValueError('can not access program "foo": [Errno 13]') After: ValueError('can not access program "foo": [Errno 13]') from OSError
These exception handling improvements enhance error reporting and debugging without changing functionality.
=== RELATIONSHIP TO OTHER PRs ===
This PR supersedes:
Use this PR if you want combined security + error handling improvements for parser.py. Or use the separate PR if you want to merge security fix and error handling independently.
Other independent PRs:
=== TESTING ===
Security:
Error Handling:
Backward Compatibility: