Major security and code quality improvements

Security: - Add input validation for all API endpoints (frequency, lat/lon, device, gain, ppm) - Add HTML escaping utility to prevent XSS attacks - Add path traversal protection for log file configuration - Add proper HTTP status codes for error responses (400, 409, 503) Performance: - Reduce SSE keepalive overhead (30s interval instead of 1s) - Add centralized SSE stream utility with optimized keepalive - Add DataStore class for thread-safe data with automatic cleanup New Features: - Add data export endpoints (/export/aircraft, /export/wifi, /export/bluetooth) - Support for both JSON and CSV export formats - Add process cleanup on application exit (atexit handlers) - Label Iridium module as demo mode with clear warnings Code Quality: - Create utils/validation.py for centralized input validation - Create utils/sse.py for SSE stream utilities - Create utils/cleanup.py for memory management - Add safe_terminate() and register_process() for process management - Improve error handling with proper logging throughout routes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-24 06:40:00 -07:00 · 2025-12-30 19:24:40 +00:00
parent b44546af53
commit 1398a5dedd
13 changed files with 964 additions and 63 deletions
--- a/routes/adsb.py
+++ b/routes/adsb.py
@@ -16,6 +16,8 @@ from flask import Blueprint, jsonify, request, Response, render_template

 import app as app_module
 from utils.logging import adsb_logger as logger
+from utils.validation import validate_device_index, validate_gain
+from utils.sse import format_sse

 adsb_bp = Blueprint('adsb', __name__, url_prefix='/adsb')

@@ -218,11 +220,16 @@ def start_adsb():

    with app_module.adsb_lock:
        if adsb_using_service:
-            return jsonify({'status': 'already_running', 'message': 'ADS-B tracking already active'})
+            return jsonify({'status': 'already_running', 'message': 'ADS-B tracking already active'}), 409

    data = request.json or {}
-    gain = data.get('gain', '40')
-    device = data.get('device', '0')
+
+    # Validate inputs
+    try:
+        gain = int(validate_gain(data.get('gain', '40')))
+        device = validate_device_index(data.get('device', '0'))
+    except ValueError as e:
+        return jsonify({'status': 'error', 'message': str(e)}), 400

    # Check if dump1090 is already running externally (e.g., user started it manually)
    existing_service = check_dump1090_service()
@@ -294,12 +301,19 @@ def stop_adsb():
 def stream_adsb():
    """SSE stream for ADS-B aircraft."""
    def generate():
+        last_keepalive = time.time()
+        keepalive_interval = 30.0
+
        while True:
            try:
                msg = app_module.adsb_queue.get(timeout=1)
-                yield f"data: {json.dumps(msg)}\n\n"
+                last_keepalive = time.time()
+                yield format_sse(msg)
            except queue.Empty:
-                yield f"data: {json.dumps({'type': 'keepalive'})}\n\n"
+                now = time.time()
+                if now - last_keepalive >= keepalive_interval:
+                    yield format_sse({'type': 'keepalive'})
+                    last_keepalive = now

    response = Response(generate(), mimetype='text/event-stream')
    response.headers['Cache-Control'] = 'no-cache'