Fix critical bugs, security issues, and code quality across all modules

- Replace bare except clauses with specific exceptions (JSONDecodeError, IOError, ValueError, TypeError) - Add path traversal protection restricting navigation to ALLOWED_BASE_DIR - Sanitize iframe URLs with scheme validation and html.escape to prevent XSS - Extract duplicate to_float/to_int to module-level helpers in json_loader.py - Replace silent modulo wrapping with clamped bounds checking via get_batch_item() - Remove hardcoded IP 192.168.1.51:5800, default to empty string - Add try/except around fragile batch history string parsing - Add JSON schema validation (dict type check) in read_json_data() - Add Python logging framework, replace print() calls - Consolidate session state initialization into loop with defaults dict - Guard streamlit_agraph import with try/except ImportError - Add backup snapshot before history node deletion - Add cycle detection in HistoryTree.commit() Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 11:47:50 +01:00
parent 268de89f6d
commit 326ae25ab2
8 changed files with 143 additions and 106 deletions
--- a/utils.py
+++ b/utils.py
@@ -1,8 +1,17 @@
 import json
+import logging
 import time
 from pathlib import Path
 import streamlit as st

+# Configure logging for the application
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s [%(name)s] %(levelname)s: %(message)s",
+    datefmt="%H:%M:%S",
+)
+logger = logging.getLogger(__name__)
+
 # Default structure for new files
 DEFAULTS = {
    # --- Standard Keys for your Restored Single Tab ---
@@ -43,14 +52,17 @@ DEFAULTS = {
 CONFIG_FILE = Path(".editor_config.json")
 SNIPPETS_FILE = Path(".editor_snippets.json")

+# Restrict directory navigation to this base path (resolve symlinks)
+ALLOWED_BASE_DIR = Path.cwd().resolve()
+
 def load_config():
    """Loads the main editor configuration (Favorites, Last Dir, Servers)."""
    if CONFIG_FILE.exists():
        try:
            with open(CONFIG_FILE, 'r') as f:
                return json.load(f)
-        except:
-            pass
+        except (json.JSONDecodeError, IOError) as e:
+            logger.warning(f"Failed to load config: {e}")
    return {"favorites": [], "last_dir": str(Path.cwd()), "comfy_instances": []}

 def save_config(current_dir, favorites, extra_data=None):
@@ -76,8 +88,8 @@ def load_snippets():
        try:
            with open(SNIPPETS_FILE, 'r') as f:
                return json.load(f)
-        except:
-            pass
+        except (json.JSONDecodeError, IOError) as e:
+            logger.warning(f"Failed to load snippets: {e}")
    return {}

 def save_snippets(snippets):