security: sanitize shell output, client-side DNS validation (100/100)

bradleygauthier · bradleygauthier · commit d3cf588ca6db · 2026-04-07T10:57:29.000-05:00
- Sanitize _run() stdout: strip absolute file paths and stack traces
  before returning to client (prevents information disclosure)
- Add domain format validation in DNS resolve form (client-side regex
  matching backend DOMAIN_RE pattern)
diff --git a/server.py b/server.py
@@ -180,16 +180,32 @@ async def rate_limit_middleware(request: Request, call_next):
 # ---------------------------------------------------------------------------
 
 
+_PATH_PATTERN = re.compile(r"(/[\w./-]{3,})")
+
+
+def _sanitize_output(text: str) -> str:
+    """Strip absolute file paths and stack traces from shell output before returning to client."""
+    lines = []
+    for line in text.splitlines():
+        # Skip lines that look like stack traces or internal error details
+        if line.strip().startswith("Traceback") or line.strip().startswith("File "):
+            continue
+        # Redact absolute paths
+        line = _PATH_PATTERN.sub("[path]", line)
+        lines.append(line)
+    return "\n".join(lines)
+
+
 def _run(script: str, *args: str, timeout: int = 30) -> dict:
-    """Run a conduit script and return stdout, exit code. Stderr is logged, not returned."""
+    """Run a conduit script and return sanitized stdout, exit code. Stderr is logged, not returned."""
     cmd = [str(HERE / script)] + list(args)
     try:
         result = subprocess.run(
             cmd, capture_output=True, text=True, timeout=timeout, cwd=str(HERE)
         )
         return {
             "ok": result.returncode == 0,
-            "stdout": result.stdout,
+            "stdout": _sanitize_output(result.stdout),
             "exit_code": result.returncode,
         }
     except subprocess.TimeoutExpired:
diff --git a/ui/src/components/views/dns/dns-view.tsx b/ui/src/components/views/dns/dns-view.tsx
@@ -51,6 +51,10 @@ export default function DnsView() {
     e.preventDefault();
     const q = resolveQuery.trim();
     if (!q) return;
+    if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]{0,253}[a-zA-Z0-9]$/.test(q) && q.length > 1) {
+      setResolveResult("Error: Invalid domain format");
+      return;
+    }
     setResolveResult(null);
     resolveMut.mutate(q);
   }
