j'6dZ ddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddlmZmZdZdadadZdd Z dd Ze d dZddZGddejjZdZddZGdde jZgdZdS)z+Centralized I/O security sentinel for NLTK.N) lru_cache)Path)unquoteurlparseFcg}dtjvr.tttjddg}tjdd}||f}tt|krtSt}|| tj zD]}}|ry t|dr|j n|}|tt!|`#t$t&t(f$rYywxYw~ddl}dd|fD]|} t|}|r||`#t$t&t(f$rYywxYw|a|a|S) zDDynamically determines allowed directories based on NLTK data paths.z nltk.datapath NLTK_DATANrz ~/nltk_dataz/usr/share/nltk_data)sysmoduleslistgetattrosenvironget_ALLOWED_ROOTS_CACHE_LAST_DATA_PATHSsetsplitpathsephasattrraddrstrresolveOSError ValueError RuntimeErrortempfile gettempdir expanduserexists) current_paths env_paths current_staterootspraw_prlocs V/lsinfo/ai/hellotax_ai/base_platform/venv/lib/python3.11/site-packages/nltk/pathsec.py_get_allowed_rootsr*sMck!!WS[%=vrJJKK  {B//I"I.M',< ,M,M## EEE Y__RZ88 8   ")!V"4"4;! $s5zz**22445555Z6      OOO5x7J7J7L7LM S $$&&..00Axxzz  ! \2    H !$ Ls&1AD  D&%D&AF%%F?>F?NLTKc* t|ts#|r!t|sdS t |dr|jnt|}d|vr9t |}|jdvrdS|jdkrt|j} t| n#ttf$rl| }d|vrB|ddz}t|d| nt| YnwxYw|rzt |dr|jnt|}t| } |ks- |std|d d |t!} t# fd | DrdS tt%j ks  r^t# fd | DrdSd|d } t(rt+| t-jd|d dt0ddSn#ttf$rYnwxYwd|d } t(rt+| t-j| t0ddS#t*tf$rt2$r t(rYdSwxYw)aG Ensures file access is restricted to allowed data directories. :param path_input: The path to validate. :param context: Diagnostic context for warnings/errors. :param required_root: If provided, enforces that the path is strictly within this specific directory (scoped sandbox). Nrz://)httphttpsftpfilez.zipSecurity Violation [z]: Path z escapes root c3NK|]}|kp|V dSN)is_relative_to).0roottargets r) z validate_path..xs:WWv~<!6!6t!.s'==tsd{======r:zS]: CWD access restricted in ENFORCE mode. Authorize via: nltk.data.path.append('.')zSecurity Warning [z allowed via CWD. stacklevelz]: Unauthorized path ) isinstanceintrstriprrrschemerrrrrlowerfindr5r*anyrgetcwdENFORCEPermissionErrorwarningswarnRuntimeWarning Exception) path_inputcontext required_rootrawparsed lower_rawzip_idxroot_raw scoped_root allowed_rootsmsgr=r8s @@r) validate_pathrZFs*c""*C OOK+EB(K+,A(J?JK+J,)K++J,,=K++#LLZipAuditc t|fd}t|tjr ||dStj|d5}||ddddS#1swxYwYdS#t t f$rttjf$rtrt dYdSwxYw)zEEnhanced Zip-Slip protection using Pathlib for cross-platform safety.cgn|}|D]}t|dr|jnt|}d|vrt d||z }|ksP|s;dd|d}trt|tj |tddS) NfilenamezNull byte in ZIP member: r2z]: Traversal member 'z ' detected.r>r?) namelistrr^rrrr5rIrJrKrLrM) zfmembersnamename_str member_pathrYrPspecific_memberr8s r)_auditz$validate_zip_archive.._audits%4%@!!bkkmm  I I,3D*,E,ET4==3t998##$%K%K%KLLL%099;; #v--1K1KF1S1S-dddxdddCI-c222 c>aHHHH I Ir:rNzZip validation failed) rrrAzipfileZipFilerJrr BadZipFilerI)zip_obj_or_path target_rootrfrPrgrar8s `` @r)validate_zip_archiverns\;k""**,, I I I I I I I" ow 7 7  F? # # # # ##66 "r                    Z ( W' (;;;  ;!"9:: : ; ; ;;s<A BB) B5 BBB B B=CC)maxsizecx tj|dtjS#ttf$rgcYSwxYw)z5Cached hostname resolution to mitigate DNS rebinding.N)proto)socket getaddrinfo IPPROTO_TCPrr)hostnames r)_resolve_hostnamerwsK!(D8JKKKK Z  s #99 NetworkIOc|r!t|sdS tt|}|jdkr(t t |j|ddS|jdvrBd|d|jd}trt|tj |td dSt|j pd D]x}tj|d d }|js|js|js|jr:d|d|}trt|tj |td ydS#tt(f$rt*$r trYdSwxYw)z-Hardened URL validation with SSRF protection.Nr0z .file_schemerP)r-r.r2z]: Unsupported scheme 'z'.r>r?r r1rz!]: SSRF attempt to restricted IP )rrCrrDrZrrrIrJrKrLrMrwrv ipaddress ip_address is_loopback is_link_local is_multicast is_privaterrN) url_inputrPrSrYresultips r)validate_network_urlrs C NN0022#i..)) =F " " '&+..78P8P8P Q Q Q Q F = 1 1 1XwXXv}XXX  A%c*** c>a@@@@ F'(=2>> E EF%fQil33B~ E!1 ER_ E  E[W[[WY[[E)#...M#~!DDDD E E Z (       s A E6A EBE#E98E9c"eZdZdZfdZxZS)_ValidatingRedirectHandlerzIEnsures that every step of a redirect chain is re-validated against SSRF.crt|dt||||||S)NNetworkRedirectrz)rsuperredirect_request)selfreqfpcoderYheadersnewurl __class__s r)rz+_ValidatingRedirectHandler.redirect_requests9V->????ww''RsGVLLLr:)__name__ __module__ __qualname____doc__r __classcell__rs@r)rrsGSSMMMMMMMMMr:rct|dr|jnt|}t|dtjt}|j|g|Ri|S)zCSecure wrapper for urllib.request.urlopen with redirect validation.full_urlzpathsec.urlopenrz) rrrrurllibrequest build_openerropen)urlargskwargsurl_stropeners r)urlopenrst%c:66DcllCHHG*;<<<< ^ ( ()C)E)E F FF 6;s ,T , , ,V , ,,r:rhc Lt|dtj|fd|i|S)z!Secure wrapper for builtins.open.z pathsec.openrzmode)rZbuiltinsr)r0rrs r)rrs2$//// = 3 3D 3F 3 33r:c:eZdZdZfdZdfd Zdfd ZxZS)rjz#Secure wrapper for zipfile.ZipFile.ct|ttfrt|dt j|g|Ri|dS)Nzpathsec.ZipFilerz)rArrrZr__init__)rr0rrrs r)rzZipFile.__init__sZ dS$K ( ( ; $(9 : : : ://///////r:Nct||ptj|t|||S)N)rf)rnrrHrextract)rmemberrpwdrs r)rzZipFile.extract s=T4#629;;OOOOwwvtS111r:ct||ptjt|||dSr4)rnrrHr extractall)rrrbrrs r)rzZipFile.extractalls@T4#629;;777 4#.....r:)NN)NNN)rrrrrrrrrs@r)rjrjsz--00000 222222//////////r:rj)rZrrnrrrjrI)r+N)Nr[)rx)rh) rrr{rrsr urllib.requestrrKri functoolsrpathlibr urllib.parserrrIrrr*rZrnrwrrHTTPRedirectHandlerrrrrj__all__r<r:r)rs211 ******** %%%PTTTTpAK!;!;!;!;H 3    FMMMMM!CMMM---4444 /////go///"   r: