Normalize paths in asset manifest for enhanced security (#221)

* Normalize paths in asset manifest for enhanced security

- Add path normalization to obscure system-specific information in manifest
- Convert system paths to avoid leaking environment details
- Update tests to account for normalized paths

* Update changelog with security enhancement

* update changelog

* update

* move import

* make mypy happy

Author: joshuadavidthomas

CHANGELOG.md

@@ -18,6 +18,10 @@ and this project attempts to adhere to [Semantic Versioning](https://semver.org/
 
 ## [Unreleased]
 
+### Security
+
+- Normalize paths in asset manifest to prevent leaking system-specific information like Python version and installation paths
+
 ## [0.17.1]
 
 ### Fixed

src/django_bird/manifest.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import hashlib
 import json
 import logging
 from pathlib import Path
@@ -13,6 +14,40 @@
 _manifest_cache = None
 
 
+def normalize_path(path: str) -> str:
+    """Normalize a template path to remove system-specific information.
+
+    Args:
+        path: The template path to normalize
+
+    Returns:
+        str: A normalized path without system-specific details
+    """
+    if "site-packages" in path:
+        parts = path.split("site-packages/")
+        if len(parts) > 1:
+            return f"pkg:{parts[1]}"
+
+    if hasattr(settings, "BASE_DIR") and settings.BASE_DIR:  # type: ignore[misc]
+        base_dir = Path(settings.BASE_DIR).resolve()  # type: ignore[misc]
+        abs_path = Path(path).resolve()
+        try:
+            if str(abs_path).startswith(str(base_dir)):
+                rel_path = abs_path.relative_to(base_dir)
+                return f"app:{rel_path}"
+        except ValueError:
+            # Path is not relative to BASE_DIR
+            pass
+
+    if path.startswith("/"):
+        hash_val = hashlib.md5(path.encode()).hexdigest()[:8]
+        filename = Path(path).name
+        return f"ext:{hash_val}/{filename}"
+
+    # Return as is if it's already a relative path
+    return path
+
+
 def load_asset_manifest() -> dict[str, list[str]] | None:
     """Load asset manifest from the default location.
 
@@ -57,9 +92,12 @@ def generate_asset_manifest() -> dict[str, list[str]]:
         dict[str, list[str]]: A dictionary mapping template paths to lists of component names.
     """
     template_component_map: dict[str, set[str]] = {}
+
     for template_path, component_names in gather_bird_tag_template_usage():
-        # Convert Path objects to strings for JSON
-        template_component_map[str(template_path)] = component_names
+        # Convert Path objects to strings for JSON and normalize
+        original_path = str(template_path)
+        normalized_path = normalize_path(original_path)
+        template_component_map[normalized_path] = component_names
 
     manifest: dict[str, list[str]] = {
         template: sorted(list(components))
@@ -79,8 +117,14 @@ def save_asset_manifest(manifest_data: dict[str, list[str]], path: Path | str) -
     path_obj = Path(path)
     path_obj.parent.mkdir(parents=True, exist_ok=True)
 
+    normalized_manifest = {}
+
+    for template_path, components in manifest_data.items():
+        normalized_path = normalize_path(template_path)
+        normalized_manifest[normalized_path] = components
+
     with open(path_obj, "w") as f:
-        json.dump(manifest_data, f, indent=2)
+        json.dump(normalized_manifest, f, indent=2)
 
 
 def default_manifest_path() -> Path:

src/django_bird/templatetags/tags/asset.py

@@ -12,6 +12,7 @@
 
 from django_bird._typing import override
 from django_bird.manifest import load_asset_manifest
+from django_bird.manifest import normalize_path
 
 
 class AssetTag(Enum):
@@ -51,9 +52,9 @@ def render(self, context: Context) -> str:
         # Only use manifest in production mode
         if not settings.DEBUG:
             manifest = load_asset_manifest()
-            if manifest and template_path in manifest:
-                # Use manifest for component names in production
-                component_names = manifest[template_path]
+            normalized_path = normalize_path(template_path)
+            if manifest and normalized_path in manifest:
+                component_names = manifest[normalized_path]
                 used_components = [
                     components.get_component(name) for name in component_names
                 ]

tests/test_manifest.py

@@ -12,6 +12,7 @@
 from django_bird.manifest import default_manifest_path
 from django_bird.manifest import generate_asset_manifest
 from django_bird.manifest import load_asset_manifest
+from django_bird.manifest import normalize_path
 from django_bird.manifest import save_asset_manifest
 from tests.utils import TestComponent
 
@@ -139,6 +140,43 @@ def mock_open_with_error(*args, **kwargs):
     assert loaded_manifest is None
 
 
+def test_normalize_path_site_packages():
+    site_pkg_path = "/usr/local/lib/python3.12/site-packages/django_third_party_pkg/components/templates/bird/button.html"
+
+    normalized = normalize_path(site_pkg_path)
+
+    assert (
+        normalized == "pkg:django_third_party_pkg/components/templates/bird/button.html"
+    )
+
+
+def test_normalize_path_project_base_dir():
+    base_dir = "/home/user/project"
+    project_path = f"{base_dir}/app/templates/invoices/pending_invoice_list.html"
+
+    with override_settings(BASE_DIR=base_dir):
+        normalized = normalize_path(project_path)
+
+    assert normalized == "app:app/templates/invoices/pending_invoice_list.html"
+
+
+def test_normalize_path_other_absolute_dir():
+    other_path = "/some/random/external/path.html"
+
+    normalized = normalize_path(other_path)
+
+    assert normalized.startswith("ext:")
+    assert "path.html" in normalized
+
+
+def test_normalize_path_relative_dir():
+    rel_path = "relative/path.html"
+
+    normalized = normalize_path(rel_path)
+
+    assert normalized == rel_path
+
+
 def test_generate_asset_manifest(templates_dir, registry):
     template1 = templates_dir / "test_manifest1.html"
     template1.write_text("""
@@ -181,12 +219,21 @@ def test_generate_asset_manifest(templates_dir, registry):
 
     manifest = generate_asset_manifest()
 
-    all_keys = list(manifest.keys())
-    template1_key = [k for k in all_keys if str(template1) in k][0]
-    template2_key = [k for k in all_keys if str(template2) in k][0]
+    for key in manifest.keys():
+        # Keys should not be absolute paths starting with /
+        assert not key.startswith("/"), f"Found absolute path in manifest: {key}"
+
+    template1_components = []
+    template2_components = []
+
+    for key, components in manifest.items():
+        if "test_manifest1.html" in key:
+            template1_components = components
+        elif "test_manifest2.html" in key:
+            template2_components = components
 
-    assert sorted(manifest[template1_key]) == sorted(["button", "card"])
-    assert sorted(manifest[template2_key]) == sorted(["accordion", "tab"])
+    assert sorted(template1_components) == sorted(["button", "card"])
+    assert sorted(template2_components) == sorted(["accordion", "tab"])
 
 
 def test_save_and_load_asset_manifest(tmp_path):
@@ -195,6 +242,11 @@ def test_save_and_load_asset_manifest(tmp_path):
         "/path/to/template2.html": ["accordion", "tab"],
     }
 
+    expected_normalized_data = {
+        normalize_path("/path/to/template1.html"): ["button", "card"],
+        normalize_path("/path/to/template2.html"): ["accordion", "tab"],
+    }
+
     output_path = tmp_path / "test-manifest.json"
 
     save_asset_manifest(test_manifest_data, output_path)
@@ -204,7 +256,7 @@ def test_save_and_load_asset_manifest(tmp_path):
     with open(output_path) as f:
         loaded_data = json.load(f)
 
-    assert loaded_data == test_manifest_data
+    assert loaded_data == expected_normalized_data
 
 
 def test_default_manifest_path():