Expand description
Security module for AetherShell
This module provides comprehensive security controls for:
- Path validation and traversal prevention (CVSS 8.2)
- Command sanitization and allowlist enforcement (CVSS 9.1)
- Input validation for AI prompts and user input (CVSS 7.8)
- Secure credential management (CVSS 8.7)
All security functions are designed according to DOD standards and OWASP guidelines.
Re-exports§
pub use crate::secure_config::SecureApiConfig;
Structs§
- Command
Security Config - Command allowlist configuration
- Path
Security Config - Security configuration for path validation
- Resource
Limits - Resource limits configuration
- Security
Audit Event - Security audit event structure for SIEM integration
Enums§
- Error
Level - Error exposure level for security
- Security
Event Type - Security event types for audit logging
Functions§
- check_
file_ size_ limit - Check if a file size is within limits
- check_
rate_ limit - Check if an operation is rate limited
- configure_
command_ security - Configure global command security settings
- configure_
path_ security - Configure global path security settings
- configure_
resource_ limits - Configure global resource limits
- create_
https_ only_ async_ client - Create an HTTPS-only async client with timeouts (rejects HTTP)
- create_
https_ only_ client - Create an HTTPS-only client (rejects HTTP)
- create_
secure_ async_ client - Create a secure async HTTP client with proper timeout configuration
- create_
secure_ http_ client - Create a secure HTTP client with hardened TLS configuration
- get_
api_ key_ env - Get an API key from environment with validation (DEPRECATED - use SecureApiConfig instead)
- sanitize_
error_ message - Sanitize error messages to prevent information disclosure
- sanitize_
path_ in_ error - Sanitize path in error messages
- sanitize_
tui_ output - Sanitize TUI output to prevent terminal escape sequence injection
- validate_
ai_ prompt - Validate AI prompt input for injection attacks
- validate_
api_ key_ format - NOTE: For secure credential management, use the
secrecycrate. This module provides validation and best practices, but actual secret storage should use OS-specific credential stores (Windows Credential Manager, macOS Keychain, etc.) - validate_
command - Validate a command is allowed to execute (prevents command injection)
- validate_
http_ url - Validate HTTP URL for SSRF prevention
- validate_
read_ path - Validate a path for read operations (less strict)
- validate_
safe_ path - Validate a path is safe to access (prevents path traversal attacks)
- validate_
string_ input - Validate generic string input
- validate_
write_ path - Validate a path for write operations (more strict)