\j':dZ ddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddlmZmZdZdadadZddZ dd Ze d d Zdd ZGddej2j4ZdZddZGdde j<ZgdZy)z+Centralized I/O security sentinel for NLTK.N) lru_cache)Path)unquoteurlparseFc(g}dtjvr'tttjddg}tj j dd}||f}tt|k(rtSt}||jtjzD]Q}|s t|dr |jn|}|jtt!|j#Sddl}dd|j-fD]K} t|j/j#}|j1r|j|M|a|a|S#t$t&t(f$rYwxYw#t$t&t(f$rYwxYw) zDDynamically determines allowed directories based on NLTK data paths.z nltk.datapath NLTK_DATANrz ~/nltk_dataz/usr/share/nltk_data)sysmoduleslistgetattrosenvironget_ALLOWED_ROOTS_CACHE_LAST_DATA_PATHSsetsplitpathsephasattrraddrstrresolveOSError ValueError RuntimeErrortempfile gettempdir expanduserexists) current_paths env_paths current_staterootspraw_prlocs 6/root/env/lib/python3.12/site-packages/nltk/pathsec.py_get_allowed_rootsr*sgMckk!WS[[%=vrJK  {B/I"I.M',< ,M## EE Y__RZZ8 8  ")!V"4! $s5z*2245 5x7J7J7LM S $$&..0Axxz ! !$ LZ6  \2   s&(A E AE: E76E7:FFc> t|ts|rt|jsy t |dr |j n t|}d|vr>t |}|jdvry|jdk(rt|j } t|j |rft |dr |j n t|}t|j} |k(s% j|std|d d |t!} t# fd | Dry tt%j&j k(s j rPt# fd | Dryd|d } t(r t+| t-j.d|d dt0dy d|d } t(r t+| t-j.| t0dy#ttf$rT|j}d|vr1|jddz}t|d|j n t| YwxYw#ttf$rYwxYw#t*tf$rt2$r t(rYywxYw)aG Ensures file access is restricted to allowed data directories. :param path_input: The path to validate. :param context: Diagnostic context for warnings/errors. :param required_root: If provided, enforces that the path is strictly within this specific directory (scoped sandbox). Nrz://)httphttpsftpfilez.zipSecurity Violation [z]: Path z escapes root c3NK|]}|k(xsj|ywN)is_relative_to).0roottargets r) z validate_path..xs(Wv~<!6!6t!<<Ws"%c3(K|] }|k( ywr3)r5r6cwds r)r8z validate_path..s=tsd{=szS]: CWD access restricted in ENFORCE mode. Authorize via: nltk.data.path.append('.')zSecurity Warning [z allowed via CWD. stacklevelz]: Unauthorized path ) isinstanceintrstriprrrschemerrrrrlowerfindr4r*anyrgetcwdENFORCEPermissionErrorwarningswarnRuntimeWarning Exception) path_inputcontext required_rootrawparsed lower_rawzip_idxroot_raw scoped_root allowed_rootsmsgr;r7s @@r) validate_pathrXFs*c"*C OR]Q^_ +, WW W  ryy{#++-C} 5 5c :=}==*7)4@@)#..MM,WIXfXEVW&#$ !;&%WI-B6(K !#& & MM#~! ._audits%4%@!bkkm  I,3D*,E4==3t98#$'@ %KLL%099; #v-1K1KF1S0 9NxjXcdC-c22 c>aH IrNzZip validation failed) rrr?zipfileZipFilerHrr BadZipFilerG)zip_obj_or_path target_rootrcrNrdr^r7s `` @r)validate_zip_archiverls;k"**, I" ow 7 ? ##6 "r     Z ( W'' (; !"9: : ;s6AA<A< A0'A<0A95A<9A<<9B87B8)maxsizec~ tj|dtjS#ttf$rgcYSwxYw)z5Cached hostname resolution to mitigate DNS rebinding.N)proto)socket getaddrinfo IPPROTO_TCPrr)hostnames r)_resolve_hostnamerus;!!(D8J8JKK Z  s %(<<c|rt|jsy tt|}|jdk(r$t t |j |dy|jdvrAd|d|jd}tr t|tj|td yt|jxsd D]}tj|d d }|j s%|j"s|j$s |j&sOd|d|}tr t|tj|td y#tt(f$rt*$r trYywxYw)z-Hardened URL validation with SSRF protection.Nr/z .file_schemerN)r,r-r1z]: Unsupported scheme 'z'.r<r=r r0rz!]: SSRF attempt to restricted IP )rrArrBrXrrrGrHrIrJrKrurt ipaddress ip_address is_loopback is_link_local is_multicast is_privaterrL) url_inputrNrQrWresultips r)validate_network_urlrsQ C N002#i.) ==F " '&++.7)<8P Q  == 1 1&wi/Fv}}oUWX %c** c>a@ '(=2> EF%%fQil3B~~!1!1R__ ,WI5VWYVZ[)#..MM#~!D E Z (    s&AE%AE4A'E7EE65E6c"eZdZdZfdZxZS)_ValidatingRedirectHandlerzIEnsures that every step of a redirect chain is re-validated against SSRF.cFt|dt| ||||||S)NNetworkRedirectrw)rsuperredirect_request)selfreqfpcoderWheadersnewurl __class__s r)rz+_ValidatingRedirectHandler.redirect_requests(V->?w'RsGVLLre)__name__ __module__ __qualname____doc__r __classcell__rs@r)rrsSMMrerct|dr |jn t|}t|dtj j t}|j|g|i|S)zCSecure wrapper for urllib.request.urlopen with redirect validation.full_urlzpathsec.urlopenrw) rrrrurllibrequest build_openerropen)urlargskwargsurl_stropeners r)urlopenrsX%c:6cllCHG*;< ^^ ( ()C)E FF 6;;s ,T ,V ,,rec Lt|dtj|fd|i|S)z!Secure wrapper for builtins.open.z pathsec.openrwmode)rXbuiltinsr)r/rrs r)rrs%$/ == 3D 3F 33rec:eZdZdZfdZdfd Zdfd ZxZS)rhz#Secure wrapper for zipfile.ZipFile.crt|ttfr t|dt ||g|i|y)Nzpathsec.ZipFilerw)r?rrrXr__init__)rr/rrrs r)rzZipFile.__init__s3 dS$K ( $(9 : ///recnt||xstj|t||||S)N)rc)rlrrFrextract)rmemberrpwdrs r)rzZipFile.extract s-T4#6299;OwvtS11reclt||xstjt||||yr3)rlrrFr extractall)rrr_rrs r)rzZipFile.extractalls)T4#6299;7 4#.re)NN)NNN)rrrrrrrrrs@r)rhrhs-0 2//rerh)rXrrlrrrhrG)NLTKN)NZipAudit) NetworkIO)rf) rrrxrrqr urllib.requestrrIrg functoolsrpathlibr urllib.parserrrGrrr*rXrlrurrHTTPRedirectHandlerrrrrh__all__r:rer)rs21 * %PTpAK!;H 3 FM!C!CM-4 /goo/" re