deltaglider

starred/deltaglider

Fork 0

mirror of https://github.com/beshu-tech/deltaglider.git synced 2026-04-11 03:06:52 +02:00

Commit Graph

Author	SHA1	Message	Date
Simone Scarduzio	37ea2f138c	security: Implement Phase 1 emergency hotfix (v5.0.3) CRITICAL SECURITY FIXES: 1. Ephemeral Cache Mode (Default) - Process-isolated temporary cache directories - Automatic cleanup on exit via atexit - Prevents multi-user interference and cache poisoning - Legacy shared cache requires explicit DG_UNSAFE_SHARED_CACHE=true 2. TOCTOU Vulnerability Fix - New get_validated_ref() method with atomic SHA validation - File locking on Unix platforms (fcntl) - Validates SHA256 at use-time, not just check-time - Removes corrupted cache entries automatically - Prevents cache poisoning attacks 3. New Cache Error Classes - CacheMissError: Cache not found - CacheCorruptionError: SHA mismatch or tampering detected SECURITY IMPACT: - Eliminates multi-user cache attacks - Closes TOCTOU attack window - Prevents cache poisoning - Automatic tamper detection Files Modified: - src/deltaglider/app/cli/main.py: Ephemeral cache for CLI - src/deltaglider/client.py: Ephemeral cache for SDK - src/deltaglider/ports/cache.py: get_validated_ref protocol - src/deltaglider/adapters/cache_fs.py: TOCTOU-safe implementation - src/deltaglider/core/service.py: Use validated refs - src/deltaglider/core/errors.py: Cache error classes Tests: 99/99 passing (18 unit + 81 integration) This is the first phase of the security roadmap outlined in SECURITY_FIX_ROADMAP.md. Addresses CVE-CRITICAL vulnerabilities in cache system. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-10 08:44:41 +02:00

Author

SHA1

Message

Date

Simone Scarduzio

37ea2f138c

security: Implement Phase 1 emergency hotfix (v5.0.3)

CRITICAL SECURITY FIXES:

1. Ephemeral Cache Mode (Default)
   - Process-isolated temporary cache directories
   - Automatic cleanup on exit via atexit
   - Prevents multi-user interference and cache poisoning
   - Legacy shared cache requires explicit DG_UNSAFE_SHARED_CACHE=true

2. TOCTOU Vulnerability Fix
   - New get_validated_ref() method with atomic SHA validation
   - File locking on Unix platforms (fcntl)
   - Validates SHA256 at use-time, not just check-time
   - Removes corrupted cache entries automatically
   - Prevents cache poisoning attacks

3. New Cache Error Classes
   - CacheMissError: Cache not found
   - CacheCorruptionError: SHA mismatch or tampering detected

SECURITY IMPACT:
- Eliminates multi-user cache attacks
- Closes TOCTOU attack window
- Prevents cache poisoning
- Automatic tamper detection

Files Modified:
- src/deltaglider/app/cli/main.py: Ephemeral cache for CLI
- src/deltaglider/client.py: Ephemeral cache for SDK
- src/deltaglider/ports/cache.py: get_validated_ref protocol
- src/deltaglider/adapters/cache_fs.py: TOCTOU-safe implementation
- src/deltaglider/core/service.py: Use validated refs
- src/deltaglider/core/errors.py: Cache error classes

Tests: 99/99 passing (18 unit + 81 integration)

This is the first phase of the security roadmap outlined in
SECURITY_FIX_ROADMAP.md. Addresses CVE-CRITICAL vulnerabilities
in cache system.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-10 08:44:41 +02:00

1 Commits