Timmy_Foundation/timmy-config
15
0
Fork 0
Code Issues 163 Pull Requests 95 Actions 10 Packages Projects Releases Wiki Activity
Files
380012c791970faf772ba119c4bf03fb77367ba5
timmy-config/security/validate_security.py
STEP35 Burn Agent 380012c791
Some checks failed
Architecture Lint / Linter Tests (pull_request) Successful in 22s
Details
Smoke Test / smoke (pull_request) Failing after 22s
Details
Validate Config / YAML Lint (pull_request) Failing after 16s
Details
Validate Config / JSON Validate (pull_request) Successful in 23s
Details
Validate Config / Python Syntax & Import Check (pull_request) Failing after 56s
Details
Validate Config / Python Test Suite (pull_request) Has been skipped
Details
Validate Config / Cron Syntax Check (pull_request) Successful in 11s
Details
Validate Config / Shell Script Lint (pull_request) Failing after 55s
Details
Validate Config / Deploy Script Dry Run (pull_request) Successful in 8s
Details
Validate Config / Playbook Schema Validation (pull_request) Successful in 17s
Details
PR Checklist / pr-checklist (pull_request) Successful in 5m6s
Details
Architecture Lint / Lint Repository (pull_request) Failing after 24s
Details
docs/security/wizard-bootstrap: extract from hermes-sovereign to top-level (#337) 
Extract organizational artifacts from hermes-sovereign/ subdirectory to
timmy-config top-level directories for clearer separation of concerns.

Moved:
- docs/: 19 markdown files from hermes-sovereign/docs/ (DEPLOY.md,
  SECURITY_AUDIT_REPORT.md, SECURE_CODING_GUIDELINES.md,
  PERFORMANCE_ANALYSIS_REPORT.md, PERFORMANCE_HOTSPOTS_QUICKREF.md,
  PERFORMANCE_OPTIMIZATIONS.md, SECURITY_FIXES_CHECKLIST.md,
  SECURITY_MITIGATION_ROADMAP.md, TEST_ANALYSIS_REPORT.md,
  TEST_OPTIMIZATION_GUIDE.md, V-006_FIX_SUMMARY.md, and more)
- security/: validate_security.py from hermes-sovereign/security/
  (creates top-level security/ directory)
- wizard-bootstrap/: 7 files from hermes-sovereign/wizard-bootstrap/
  (FORGE_OPERATIONS_GUIDE.md, WIZARD_ENVIRONMENT_CONTRACT.md,
  dependency_checker.py, monthly_audit.py, skills_audit.py,
  wizard_bootstrap.py, __init__.py)
- docs/notebooks/: 2 notebook files from hermes-sovereign/notebooks/
  (agent_task_system_health.ipynb, agent_task_system_health.py)

Empty source directories (hermes-sovereign/docs/, security/,
wizard-bootstrap/, notebooks/) removed.

This reorganization establishes timmy-config as the canonical home
for operational documentation, security tooling, and wizard bootstrap
infrastructure — extracted from the hermes-agent sidecar subtree.

Closes #337
2026-04-30 01:40:46 -04:00

200 lines
7.0 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Comprehensive security validation script.
Runs all security checks and reports status.
Usage: python validate_security.py
"""
import sys
import os
import subprocess
import ast
from pathlib import Path
class SecurityValidator:
"""Run comprehensive security validations."""
def __init__(self):
self.issues = []
self.warnings = []
self.checks_passed = 0
self.checks_failed = 0
def run_all(self):
"""Run all security checks."""
print("=" * 80)
print("🔒 SECURITY VALIDATION SUITE")
print("=" * 80)
self.check_command_injection()
self.check_path_traversal()
self.check_ssrf_protection()
self.check_secret_leakage()
self.check_interrupt_race_conditions()
self.check_test_coverage()
self.print_summary()
return len(self.issues) == 0
def check_command_injection(self):
"""Check for command injection vulnerabilities."""
print("\n[1/6] Checking command injection protections...")
# Check transcription_tools.py uses shlex.split
content = Path("tools/transcription_tools.py").read_text()
if "shlex.split" in content and "shell=False" in content:
print(" ✅ transcription_tools.py: Uses safe list-based execution")
self.checks_passed += 1
else:
print(" ❌ transcription_tools.py: May use unsafe shell execution")
self.issues.append("Command injection in transcription_tools")
self.checks_failed += 1
# Check docker.py validates container IDs
content = Path("tools/environments/docker.py").read_text()
if "re.match" in content and "container" in content:
print(" ✅ docker.py: Validates container ID format")
self.checks_passed += 1
else:
print(" ⚠️ docker.py: Container ID validation not confirmed")
self.warnings.append("Docker container ID validation")
def check_path_traversal(self):
"""Check for path traversal protections."""
print("\n[2/6] Checking path traversal protections...")
content = Path("tools/file_operations.py").read_text()
checks = [
("_validate_safe_path", "Path validation function"),
("_contains_path_traversal", "Traversal detection function"),
("../", "Unix traversal pattern"),
("..\\\\", "Windows traversal pattern"),
("\\\\x00", "Null byte detection"),
]
for pattern, description in checks:
if pattern in content:
print(f"{description}")
self.checks_passed += 1
else:
print(f" ❌ Missing: {description}")
self.issues.append(f"Path traversal: {description}")
self.checks_failed += 1
def check_ssrf_protection(self):
"""Check for SSRF protections."""
print("\n[3/6] Checking SSRF protections...")
content = Path("tools/url_safety.py").read_text()
checks = [
("_is_blocked_ip", "IP blocking function"),
("create_safe_socket", "Connection-level validation"),
("169.254", "Metadata service block"),
("is_private", "Private IP detection"),
]
for pattern, description in checks:
if pattern in content:
print(f"{description}")
self.checks_passed += 1
else:
print(f" ⚠️ {description} not found")
self.warnings.append(f"SSRF: {description}")
def check_secret_leakage(self):
"""Check for secret leakage protections."""
print("\n[4/6] Checking secret leakage protections...")
content = Path("tools/code_execution_tool.py").read_text()
if "_ALLOWED_ENV_VARS" in content:
print(" ✅ Uses whitelist for environment variables")
self.checks_passed += 1
elif "_SECRET_SUBSTRINGS" in content:
print(" ⚠️ Uses blacklist (may be outdated version)")
self.warnings.append("Blacklist instead of whitelist for secrets")
else:
print(" ❌ No secret filtering found")
self.issues.append("Secret leakage protection")
self.checks_failed += 1
# Check for common secret patterns in allowed list
dangerous_vars = ["API_KEY", "SECRET", "PASSWORD", "TOKEN"]
found_dangerous = [v for v in dangerous_vars if v in content]
if found_dangerous:
print(f" ⚠️ Found potential secret vars in code: {found_dangerous}")
def check_interrupt_race_conditions(self):
"""Check for interrupt race condition fixes."""
print("\n[5/6] Checking interrupt race condition protections...")
content = Path("tools/interrupt.py").read_text()
checks = [
("RLock", "Reentrant lock for thread safety"),
("_interrupt_lock", "Lock variable"),
("_interrupt_count", "Nesting count tracking"),
]
for pattern, description in checks:
if pattern in content:
print(f"{description}")
self.checks_passed += 1
else:
print(f" ❌ Missing: {description}")
self.issues.append(f"Interrupt: {description}")
self.checks_failed += 1
def check_test_coverage(self):
"""Check security test coverage."""
print("\n[6/6] Checking security test coverage...")
test_files = [
"tests/tools/test_interrupt.py",
"tests/tools/test_path_traversal.py",
"tests/tools/test_command_injection.py",
]
for test_file in test_files:
if Path(test_file).exists():
print(f"{test_file}")
self.checks_passed += 1
else:
print(f" ❌ Missing: {test_file}")
self.issues.append(f"Missing test: {test_file}")
self.checks_failed += 1
def print_summary(self):
"""Print validation summary."""
print("\n" + "=" * 80)
print("VALIDATION SUMMARY")
print("=" * 80)
print(f"Checks Passed: {self.checks_passed}")
print(f"Checks Failed: {self.checks_failed}")
print(f"Warnings: {len(self.warnings)}")
if self.issues:
print("\n❌ CRITICAL ISSUES:")
for issue in self.issues:
print(f" - {issue}")
if self.warnings:
print("\n⚠️ WARNINGS:")
for warning in self.warnings:
print(f" - {warning}")
if not self.issues:
print("\n✅ ALL SECURITY CHECKS PASSED")
print("=" * 80)
if __name__ == "__main__":
validator = SecurityValidator()
success = validator.run_all()
sys.exit(0 if success else 1)
Reference in New Issue View Git Blame Copy Permalink