feat: add server-side validation for web-based INI deployments

2026-04-08 01:04:59 -04:00
parent 1b5d366b38
commit cc3d434c02
3 changed files with 64 additions and 3 deletions
--- a/decnet/ini_loader.py
+++ b/decnet/ini_loader.py
@@ -88,11 +88,27 @@ def load_ini(path: str | Path) -> IniConfig:

 def load_ini_from_string(content: str) -> IniConfig:
    """Parse a DECNET INI string and return an IniConfig."""
+    validate_ini_string(content)
    cp = configparser.ConfigParser()
    cp.read_string(content)
    return _parse_configparser(cp)


+def validate_ini_string(content: str) -> None:
+    """Perform safety and sanity checks on raw INI content string."""
+    # 1. Size limit (e.g. 512KB)
+    if len(content) > 512 * 1024:
+        raise ValueError("INI content too large (max 512KB).")
+
+    # 2. Ensure it's not empty
+    if not content.strip():
+        raise ValueError("INI content is empty.")
+
+    # 3. Basic structure check (must contain at least one section header)
+    if "[" not in content or "]" not in content:
+        raise ValueError("Invalid INI format: no sections found.")
+
+
 def _parse_configparser(cp: configparser.ConfigParser) -> IniConfig:
    cfg = IniConfig()

@@ -152,7 +168,11 @@ def _parse_configparser(cp: configparser.ConfigParser) -> IniConfig:
            amount = int(amount_raw)
            if amount < 1:
                raise ValueError
-        except ValueError:
+            if amount > 100:
+                raise ValueError(f"[{section}] amount={amount} exceeds maximum allowed (100).")
+        except ValueError as e:
+            if "exceeds maximum" in str(e):
+                raise e
            raise ValueError(f"[{section}] amount= must be a positive integer, got '{amount_raw}'")

        if amount == 1: