chore(medcat-trainer): Harden MCT plugin scaffold with trust docs and URL/signal guards.#530
Conversation
Document the in-process plugin trust model, validate bootstrap menu/route URLs against dangerous schemes, isolate plugin signal failures from core flows, and add secure API authoring guidance.
tomolopolis
changed the title
|
|
||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # URL hardening for bootstrap-exposed entries |
There was a problem hiding this comment.
Only comment is I'd probably remove any mention of "security" or "hardening" throughout, and really just talk about it being a safety net for writing plugins. You've already got docs that say it isn't security, so would keep that message consistent
Would do a pass through of the documentation/code to reword like that really.
For example this code here doesnt give any security or hardening at all for malicious plugins, (and I get that you acknowledge that elsewhere ). I'd just write a plugin that edits this extensions.py file and restart trainer.
There was a problem hiding this comment.
For the example
Given this pydoc:
The registry helpers below apply light input hardening (URL-scheme validation on
menu/route entries) and signal emission is isolated via :func:`dispatch` so that
a buggy or hostile plugin receiver cannot break core request flows. These are
defence-in-depth measures, **not** a security boundary against malicious code
running in-process.
I'd probably remove the "hardening", "defence-in-depth" and "hostile plugin receiver" text here. Keep it consistent that it isn't defence at all. Function is called "validate", which feels like the right word to use throughout
2 participants
Document the in-process plugin trust model, validate bootstrap menu/route URLs against dangerous schemes, isolate plugin signal failures from core flows, and add secure API authoring guidance.