starred/deltaglider-beshu-tech
1
0
Fork 0
mirror of https://github.com/beshu-tech/deltaglider.git synced 2026-01-11 22:50:24 +01:00
Code Issues 1 Packages Projects Releases Wiki Activity
125 Commits 2 Branches 28 Tags
main
Commit Graph

4 Commits

Author SHA1 Message Date
Simone Scarduzio
e8fb926fd6 docs: Update SECURITY_FIX_ROADMAP.md - mark encryption complete 2025-10-10 09:40:02 +02:00
Simone Scarduzio
90a342dc33 feat: Implement Content-Addressed Storage (CAS) cache 
Implemented SHA256-based Content-Addressed Storage to eliminate
cache collisions and enable automatic deduplication.

Key Features:
- Zero collision risk: SHA256 namespace guarantees uniqueness
- Automatic deduplication: same content = same filename
- Tampering protection: changing content changes SHA, breaks lookup
- Two-level directory structure (ab/cd/abcdef...) for filesystem optimization

Changes:
- Added ContentAddressedCache adapter in adapters/cache_cas.py
- Updated CLI and SDK to use CAS instead of FsCacheAdapter
- Updated all tests to use ContentAddressedCache
- Documented CAS architecture in CLAUDE.md and SECURITY_FIX_ROADMAP.md

Security Benefits:
- Eliminates cross-endpoint collision vulnerabilities
- Self-describing cache (filename IS the checksum)
- Natural cache validation without external metadata

All quality checks passing:
- 99 tests passing (0 failures)
- Type checking: 0 errors (mypy)
- Linting: All checks passed (ruff)

Completed Phase 2 of SECURITY_FIX_ROADMAP.md
 2025-10-10 09:06:29 +02:00
Simone Scarduzio
778d7f0148 security: Remove all legacy shared cache code and env vars 
BREAKING CHANGE: Removed DG_UNSAFE_SHARED_CACHE and DG_CACHE_DIR
environment variables. DeltaGlider now ONLY uses ephemeral
process-isolated cache for security.

Changes:
- Removed cache_dir parameter from create_client()
- Removed all conditional legacy cache mode logic
- Updated documentation (CLAUDE.md, docs/sdk/api.md)
- Updated tests to not pass removed cache_dir parameter
- Marked Phase 1 of SECURITY_FIX_ROADMAP.md as completed

All 99 tests passing. Ephemeral cache is now the only mode.
 2025-10-10 08:56:49 +02:00
Simone Scarduzio
37ea2f138c security: Implement Phase 1 emergency hotfix (v5.0.3) 
CRITICAL SECURITY FIXES:

1. Ephemeral Cache Mode (Default)
   - Process-isolated temporary cache directories
   - Automatic cleanup on exit via atexit
   - Prevents multi-user interference and cache poisoning
   - Legacy shared cache requires explicit DG_UNSAFE_SHARED_CACHE=true

2. TOCTOU Vulnerability Fix
   - New get_validated_ref() method with atomic SHA validation
   - File locking on Unix platforms (fcntl)
   - Validates SHA256 at use-time, not just check-time
   - Removes corrupted cache entries automatically
   - Prevents cache poisoning attacks

3. New Cache Error Classes
   - CacheMissError: Cache not found
   - CacheCorruptionError: SHA mismatch or tampering detected

SECURITY IMPACT:
- Eliminates multi-user cache attacks
- Closes TOCTOU attack window
- Prevents cache poisoning
- Automatic tamper detection

Files Modified:
- src/deltaglider/app/cli/main.py: Ephemeral cache for CLI
- src/deltaglider/client.py: Ephemeral cache for SDK
- src/deltaglider/ports/cache.py: get_validated_ref protocol
- src/deltaglider/adapters/cache_fs.py: TOCTOU-safe implementation
- src/deltaglider/core/service.py: Use validated refs
- src/deltaglider/core/errors.py: Cache error classes

Tests: 99/99 passing (18 unit + 81 integration)

This is the first phase of the security roadmap outlined in
SECURITY_FIX_ROADMAP.md. Addresses CVE-CRITICAL vulnerabilities
in cache system.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-10 08:44:41 +02:00