Eric Taylor
595875ca07
## Security Fixes (Critical) ### 1. Settings file race condition fixed - Added atomic write operation using temp file + os.replace() - Prevents corruption if process crashes during settings save - Uses proper cleanup on failure ### 2. CSV quoting protection implemented - Added csv.QUOTE_MINIMAL to all CSV DictWriter operations - Optimal efficiency while maintaining security - Proper handling of special characters (quotes, commas, newlines) ### 3. Complete CSV field sanitization - Fixed critical Date field sanitization gap - Created specialized sanitize_date_text() preserving YYYY-MM-DD format - All 7 CSV fields now properly sanitized before writing - Added comprehensive input validation for user input vectors ## New Security Functions - sanitize_csv_text(): Removes dangerous characters (=,+, -, @) - sanitize_date_text(): Preserves date format while removing injection attempts - sanitize_filename(): Path traversal protection - sanitize_config_text(): JSON/configuration safety - validate_input(): Centralized input validation with type-specific logic ## Enhanced Features - Alternating row colors for visual time slot distinction - Improved conflict resolution with clearer UI indicators - Enhanced CSV error handling with line numbering ## Testing & Documentation - Added comprehensive test suites (5 new test files) - Created AGENTS.md development guide - Updated TODO.md with staged improvement roadmap - All tests passing with 100% backward compatibility ## Files Modified - time_tracker.py: +280 lines (security functions + atomic operations) - tests/: New security and feature test suites - .gitignore: Updated to include documentation and tests All critical vulnerabilities resolved while maintaining full functionality.