Shared security helpers for Oubliette Shield / Sentinel / Dungeon / Trap / sift-guard.
Project description
oubliette-sec-utils
Shared security helpers for the Oubliette product family (Shield, Sentinel, Dungeon, Trap, sift-guard).
Extracted from duplicated inline code that was flagged in the 2026-04-22 red-team audit as the source of recurring cross-repo security fixes:
- Path scope —
contained_in()+safe_realpath()replace the brokenstartswith/normpathpattern. A sibling directory like/evidence-stolenno longer passes the scope check for/evidence. - Argument injection —
validate_argument()/validate_allowlist()reject strings that start with-, contain shell metacharacters, or aren't in a whitelisted set.shell=Falsedoes NOT protect against argv-level injection. - SSRF —
is_ip_safe()/validate_outbound_url()reject private, loopback, link-local, reserved, multicast, IPv6-mapped IPv4, and the Fly.io 6PN ULA range (fdaa::/16), whichipaddress.is_privatemisses. URL validation performs DNS resolution and checks every resolved IP (rebinding defence).
Install
pip install oubliette-sec-utils
Usage
from oubliette_sec_utils import (
contained_in, safe_realpath,
validate_argument, validate_allowlist,
is_ip_safe, validate_outbound_url,
)
# Path scope
assert contained_in("/evidence/disk.E01", "/evidence") is True
assert contained_in("/evidence-stolen/disk.E01", "/evidence") is False
# Argv injection
d = validate_argument("SYSTEM --plugins /tmp/evil.pl", allow_spaces=True)
assert d.blocked is True
# SSRF
d = validate_outbound_url("http://169.254.169.254/latest/meta-data/")
assert d.safe is False
Scope and non-goals
This package is a helper library, not a framework. It does not know about Flask, FastAPI, MCP, or any specific subsystem — callers wrap these helpers into their own request pipelines. That separation is deliberate: Shield, Sentinel, Dungeon, Trap, and sift-guard all have different framework shapes, but they share the same underlying validation needs.
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file oubliette_sec_utils-0.1.0.tar.gz.
File metadata
- Download URL: oubliette_sec_utils-0.1.0.tar.gz
- Upload date:
- Size: 12.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d2dcd5842226fae7784faa7f7f6a2621ece7440f22bcef5bc8825129cdd24319
|
|
| MD5 |
14c4a65c7031759a47d39418488a5d6a
|
|
| BLAKE2b-256 |
7dbe9074983d491767b678fe61ecbab7fabed04d31f8af8818e9ff08dc6ff779
|
File details
Details for the file oubliette_sec_utils-0.1.0-py3-none-any.whl.
File metadata
- Download URL: oubliette_sec_utils-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a1ae6876bad53a92ee1413229c68ffbe0e51c39b5caba2671cb3e6efae929e4d
|
|
| MD5 |
3192f41ee31585b9bc6a8ca8d9a1d107
|
|
| BLAKE2b-256 |
561dc145a6d2774d79914e4e81b70b293c79393bcd53520a960e037a882b2484
|
