Eric Taylor
595875ca07
## Security Fixes (Critical) ### 1. Settings file race condition fixed - Added atomic write operation using temp file + os.replace() - Prevents corruption if process crashes during settings save - Uses proper cleanup on failure ### 2. CSV quoting protection implemented - Added csv.QUOTE_MINIMAL to all CSV DictWriter operations - Optimal efficiency while maintaining security - Proper handling of special characters (quotes, commas, newlines) ### 3. Complete CSV field sanitization - Fixed critical Date field sanitization gap - Created specialized sanitize_date_text() preserving YYYY-MM-DD format - All 7 CSV fields now properly sanitized before writing - Added comprehensive input validation for user input vectors ## New Security Functions - sanitize_csv_text(): Removes dangerous characters (=,+, -, @) - sanitize_date_text(): Preserves date format while removing injection attempts - sanitize_filename(): Path traversal protection - sanitize_config_text(): JSON/configuration safety - validate_input(): Centralized input validation with type-specific logic ## Enhanced Features - Alternating row colors for visual time slot distinction - Improved conflict resolution with clearer UI indicators - Enhanced CSV error handling with line numbering ## Testing & Documentation - Added comprehensive test suites (5 new test files) - Created AGENTS.md development guide - Updated TODO.md with staged improvement roadmap - All tests passing with 100% backward compatibility ## Files Modified - time_tracker.py: +280 lines (security functions + atomic operations) - tests/: New security and feature test suites - .gitignore: Updated to include documentation and tests All critical vulnerabilities resolved while maintaining full functionality.
48 lines
2.0 KiB
Markdown
48 lines
2.0 KiB
Markdown
# AGENTS.md - Time Tracker Development Guide
|
|
|
|
## Build/Test Commands
|
|
|
|
- **Run main application**: `python time_tracker.py`
|
|
- **Run single test**: `python tests/test_mark_logic.py` or `python tests/test_mark_billed.py`
|
|
- **Clean archive data**: `python tests/clean_archive.py`
|
|
|
|
## Code Style Guidelines
|
|
|
|
### Imports & Structure
|
|
- Standard library imports first (os, json, csv, datetime, collections)
|
|
- Third-party imports next (tkinter, ttk, messagebox, filedialog)
|
|
- Group related imports together
|
|
- Use absolute imports consistently
|
|
|
|
### Naming Conventions
|
|
- **Classes**: PascalCase (e.g., `ClickableCell`, `TimeTracker`)
|
|
- **Functions/Methods**: snake_case (e.g., `load_settings`, `update_day_total`)
|
|
- **Variables**: snake_case (e.g., `time_cells`, `data_rows`)
|
|
- **Constants**: UPPER_SNAKE_CASE (e.g., `drag_info` global dict)
|
|
- **Private methods**: prefix with underscore (e.g., `_refresh_dropdowns`)
|
|
|
|
### Error Handling
|
|
- Use try/except blocks for file operations
|
|
- Show user-friendly messages via `messagebox.showerror()` or `messagebox.showwarning()`
|
|
- Log errors with context but never expose sensitive data
|
|
- Gracefully handle missing files and directories
|
|
|
|
### GUI Patterns
|
|
- Use `ttk.Combobox` for dropdowns with `state="readonly"`
|
|
- Frame-based layout with grid/pack geometry managers
|
|
- Bind events consistently (`<Button-1>`, `<B1-Motion>`, `<ButtonRelease-1>`)
|
|
- Separate data models from UI presentation
|
|
- Use consistent widget naming: `*_var` for StringVar/IntVar, `*_frame` for containers
|
|
|
|
### Data Handling
|
|
- CSV files use UTF-8 encoding
|
|
- Store settings in `~/.config/time-tracker.json` (UNIX-compliant)
|
|
- Use `defaultdict` for pivot table operations
|
|
- Validate user input before processing
|
|
- Archive format: `['Job', 'TaskName', 'Note', 'Customer', 'Hours', 'Date', 'username', 'Billable', 'Billed']`
|
|
|
|
### Testing
|
|
- Test files in `tests/` directory with `test_` prefix
|
|
- Create sample data fixtures for consistent testing
|
|
- Test logic separately from UI components
|
|
- Verify both success and failure scenarios |