Module validation

Expand description

Input validation and path safety utilities for Contracts & Flow commands.

This module provides security-focused validation functions to mitigate:

All file paths are canonicalized and checked against project boundaries. Resource limits are enforced to prevent denial-of-service conditions.

Constants§

MAX_AST_DEPTH: Maximum AST traversal depth (TIGER-08 mitigation). Prevents stack overflow from deeply nested source code.
MAX_CFG_DEPTH: Maximum CFG/slice recursion depth (TIGER-03 mitigation). Prevents stack overflow from deeply recursive control flow analysis.
MAX_CONDITIONS_PER_FUNCTION: Maximum number of conditions to report per function.
MAX_FILE_SIZE: Maximum file size for analysis (10 MB). Files larger than this will be rejected (TIGER-04 partial mitigation).
MAX_FUNCTION_NAME_LEN: Maximum function name length.
MAX_SSA_NODES: Maximum SSA nodes to construct (TIGER-04 mitigation). Prevents memory exhaustion from extremely large SSA graphs.
WARN_FILE_SIZE: Warning threshold for file size (1 MB). Files larger than this emit a warning but are still processed.

check_ast_depth: Check if AST depth exceeds limit.
check_depth_limit: Check if a depth limit has been exceeded.
check_ssa_node_limit: Check if SSA node count exceeds limit.
has_path_traversal_pattern: Check if a path contains path traversal patterns.
read_file_safe: Safely read a file with size limits and UTF-8 validation.
read_file_safe_with_warning: Read a file safely, emitting a warning for large files.
validate_file_path: Validate and canonicalize a file path.
validate_file_path_in_project: Validate a file path ensuring it stays within a project root.
validate_function_name: Validate a function name for safety.
validate_line_numbers: Validate line number range.