Skip to content

Fix path traversal vulnerability in PDF downloader #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hherb merged 2 commits into from
Dec 29, 2025
Merged

Fix path traversal vulnerability in PDF downloader #227

hherb merged 2 commits into from
Dec 29, 2025

Conversation

@hherb
Copy link
Owner

@hherb hherb commented Dec 29, 2025

Summary

  • Fix critical path traversal vulnerability in tar extraction (CVE-level security issue)
  • Fix ReDoS vulnerability in regex patterns used for package discovery
  • Remove hardcoded contact email from User-Agent (configurable now)
  • Add PMCID range validation to prevent integer overflow and infinite loops
  • Add HTTP session cleanup with context manager support
  • Improve progress logging efficiency and exception handling
  • Move hardcoded paths and magic numbers to named constants

Security Fixes

1. Path Traversal Vulnerability (CRITICAL)

Added _is_safe_tar_member() method that validates archive paths before extraction:

  • Blocks absolute paths (/etc/passwd)
  • Blocks path traversal (../../../etc/passwd)
  • Uses extractfile() instead of extract() for controlled extraction

2. ReDoS Protection (MEDIUM)

  • Replaced \d+ with bounded \d{1,9} in regex patterns
  • Added MAX_REGEX_MATCHES = 10000 limit to prevent CPU exhaustion

3. Input Validation

  • PMCID range validation with MIN_PMCID and MAX_PMCID bounds
  • Automatic swapping of reversed ranges (start > end)
  • Bounds checking in _get_pmcid_subdir() to prevent integer overflow

4. Resource Management

  • Added context manager (with EuropePMCPDFDownloader(...) as downloader:)
  • Lazy HTTP session creation with explicit close() method
  • Session cleanup on context exit

Code Quality Improvements

  • All magic numbers moved to named constants at module level
  • Default paths moved to DEFAULT_OUTPUT_DIR constant
  • Specific exception handling (ValueError, RequestException, PermissionError, OSError)
  • Progress logging uses byte thresholds instead of modulo operations

Test Coverage

Added comprehensive unit tests for:

  • Path traversal attack scenarios
  • PMCID validation edge cases
  • Range overlap validation logic
  • HTTP session cleanup
  • User-Agent configuration

Bug Fixes Found During Review

  • Fixed unbalanced parentheses in User-Agent string construction
  • Simplified _is_safe_tar_member() to correctly check path components

Test Plan

  • Run uv run python -m pytest tests/test_europe_pmc_pdf_downloader.py -v
  • Test CLI commands: list, download, status, verify, extract, find
  • Verify path traversal protection with crafted tar archives
  • Verify PMCID range validation with edge cases

@claude
Fix security vulnerabilities and code quality issues in Europe PMC PD…
3ffe458 
…F downloader

Security fixes:
- Add path traversal protection in tar extraction (_is_safe_tar_member)
- Add ReDoS protection with bounded regex patterns and match limits
- Remove hardcoded contact email from User-Agent (now configurable)
- Add PMCID bounds validation to prevent integer overflow
- Add range validation to prevent infinite loop in overlap checking

Code quality improvements:
- Add context manager support for HTTP session cleanup
- Improve progress logging efficiency using byte thresholds
- Move magic numbers and hardcoded paths to named constants
- Add specific exception handling in CLI (network, permission, filesystem)
- Organize configuration constants with clear documentation

New features:
- Add contact_email parameter for configurable User-Agent
- Add lazy session creation for better resource management
- Add close() method for explicit resource cleanup

Tests:
- Add comprehensive unit tests for security fixes
- Cover path traversal, PMCID validation, range checking, session cleanup

Addresses issues from PR #226 security review.
@claude
Fix bugs found during code review
d81a6bf 
- Fix unbalanced parentheses in User-Agent string construction
- Simplify _is_safe_tar_member to check path components correctly
  (don't use resolve() on tar member paths which aren't real filesystem paths)
- Update tests to match corrected logic (allow '..' in filenames,
  block only '..' as path component)
- Add test for balanced parentheses in User-Agent
@claude
Copy link

claude bot commented Dec 29, 2025
edited
Loading

Claude finished @hherb's task —— View job

🔍 Security Code Review - Pull Request #227

I've completed a comprehensive review of this security-focused pull request. The changes address critical vulnerabilities while maintaining code quality and functionality.

Review Checklist:

  • Analyze changed files and understand implementation
  • Review path traversal security fixes
  • Evaluate ReDoS protection measures
  • Check input validation improvements
  • Assess resource management changes
  • Review code quality improvements
  • Analyze test coverage and quality
  • Check for remaining security concerns
  • Provide comprehensive feedback

Excellent Security Fixes

1. Path Traversal Protection (CRITICAL)

The _is_safe_tar_member() implementation is excellent:

  • Correctly blocks absolute paths (/etc/passwd)
  • Properly validates path components using Path.parts to check each component
  • Prevents all traversal attacks (../../../etc/passwd)
  • Uses extractfile() instead of extract() for controlled extraction (line 798-804)
  • Security logging warns about blocked attempts

Security Assessment: STRONG 🛡️

2. ReDoS Protection (MEDIUM)

Regex patterns are properly secured:

  • Bounded quantifiers: \d{1,9} instead of \d+ (lines 379, 407)
  • Match limiting: MAX_REGEX_MATCHES = 10000 constant with enforcement (lines 382-388, 412-417)
  • Simple patterns: No nested quantifiers or backtracking risks

Security Assessment: GOOD 🛡️

3. Input Validation

PMCID validation is comprehensive:

  • Bounds checking: MIN_PMCID = 1, MAX_PMCID = 99_999_999 (lines 71-72)
  • Range validation: In constructor and CLI parsing (lines 260-278)
  • Automatic range swapping: Handles reversed ranges gracefully (lines 271-276)
  • Integer overflow protection: In _get_pmcid_subdir() (lines 841-844)

Code Quality Improvements

1. Resource Management

HTTP session handling is well-implemented:

  • Lazy initialization: Session created only when needed (lines 286-291)
  • Context manager support: Proper __enter__/__exit__ (lines 299-305)
  • Explicit cleanup: close() method (lines 293-297)

2. Constants and Configuration

Excellent adherence to "golden rules":

  • All magic numbers moved to constants (lines 58-81)
  • Configurable parameters: Delays, timeouts, user agent
  • No hardcoded paths: DEFAULT_OUTPUT_DIR constant (line 81)

3. Error Handling

Robust exception handling:

  • Specific exception types: ValueError, RequestException, PermissionError
  • Graceful degradation: Continue on individual file failures
  • Comprehensive logging: Debug, info, warning, and error levels

Outstanding Test Coverage

The test suite (tests/test_europe_pmc_pdf_downloader.py) is comprehensive:

Security Testing

  • Path traversal scenarios: Multiple attack vectors tested (lines 59-76)
  • PMCID bounds validation: Edge cases and overflow protection (lines 114-162)
  • Regex security: Implicit through bounds testing
  • Tar extraction security: Integration tests with malicious archives (lines 374-398)

Functional Testing

  • Range overlap logic: Comprehensive coverage (lines 179-227)
  • Session management: Context manager and cleanup (lines 229-265)
  • User-Agent configuration: Balanced parentheses verification (lines 267-290)
  • CLI range parsing: Error cases and validation (lines 292-328)

Test Quality: EXCELLENT 📋

Performance Considerations

Optimizations

  • Progress logging efficiency: Byte thresholds instead of modulo (lines 664-670)
  • Regex match limiting: Prevents CPU exhaustion
  • Lazy session creation: Reduces memory overhead
  • Chunked downloads: Configurable DEFAULT_CHUNK_SIZE = 8192

Rate Limiting

  • Configurable delays: DEFAULT_DELAY_SECONDS = 60
  • Jitter on retries: Prevents thundering herd (lines 641-643)
  • Reasonable defaults: Balances speed vs politeness

🔍 Minor Observations

Code Style

  1. User-Agent construction: The fix for balanced parentheses is correct (lines 234-238)
  2. Type hints: Comprehensive throughout the codebase
  3. Docstrings: Detailed documentation with security notes
  4. BMLibrarian standards: Follows project conventions perfectly

Architecture

  1. BaseAgent pattern: Not applicable here (this is an importer, not an agent)
  2. Database integration: Properly separated concerns
  3. Configuration management: Uses constants appropriately

🚀 Recommendations

Immediate Actions

  1. ✅ LGTM - Ready to merge after CI passes
  2. ✅ Security fixes are comprehensive and well-tested
  3. ✅ Code quality meets project standards

Future Enhancements (not required for this PR)

  1. Consider adding virus scanning for downloaded PDFs (using libclamav)
  2. Implement cryptographic verification if Europe PMC provides checksums
  3. Add compression ratio validation to detect zip bombs

📊 Overall Assessment

Category Rating Notes
Security ⭐⭐⭐⭐⭐ Critical vulnerabilities properly fixed
Code Quality ⭐⭐⭐⭐⭐ Excellent adherence to best practices
Test Coverage ⭐⭐⭐⭐⭐ Comprehensive security and functional tests
Performance ⭐⭐⭐⭐ Good optimizations, no performance regressions
Documentation ⭐⭐⭐⭐⭐ Clear docstrings with security notes

🎯 Verdict: APPROVE

This PR successfully addresses critical security vulnerabilities while maintaining excellent code quality. The path traversal fix alone makes this a high-priority security update. The comprehensive test coverage and adherence to project standards demonstrate professional development practices.

Security Impact: Fixes CVE-level path traversal vulnerability
Code Quality: Exceeds project standards
Risk Level: Low (well-tested, backwards compatible)

@hherb hherb merged commit 0ad2328 into master Dec 29, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hherb @claude