Deep audit wave 2: PBKDF2 auth, XSS hardening, input validation, bug fixes

- Upgrade PIN/password hashing from plain SHA-256 to PBKDF2-SHA256 with
  random salt; transparent upgrade of legacy hashes on login
- Fix alert_rules cooldown: use utcnow() to match CURRENT_TIMESTAMP,
  handle timezone-aware strings without crash
- Fix AI context window trimming: preserve system message on truncation
- Fix monthly task recurrence drift: calendar-aware month arithmetic
  instead of timedelta(days=30)
- Fix garden seed expiration date: use calendar.monthrange() instead of
  arbitrary day cap at 28
- Fix version mismatch: nomad.py now uses Config.VERSION instead of stale
  hardcoded 7.10.0
- Add coordinate validation (-90..90 lat, -180..180 lng) to waypoint
  create/update and emergency rally point create/update
- Add triage category validation (immediate/delayed/minimal/expectant)
- Fix inventory CSV import data loss: per-row error handling instead of
  all-or-nothing crash
- Escape 15+ innerHTML XSS vectors in system info, benchmarks, maps,
  models, widget config, and phrase cards
- All 913 tests pass

Author: FOSSFOREVER

nomad.py

@@ -55,7 +55,7 @@ def _check_deps():
 from web.app import create_app, set_version
 from db import init_db, get_db, log_activity, backup_db
 
-VERSION = '7.10.0'
+VERSION = Config.VERSION
 PORT = Config.APP_PORT
 HOST = Config.APP_HOST
 

web/blueprints/ai.py

@@ -37,15 +37,23 @@ def _trim_messages_to_fit(messages, max_tokens=4096, system_tokens=0):
     if not messages:
         return messages
     budget = max_tokens - system_tokens - 200  # Reserve 200 for response
+    # Preserve system message if present — must never be dropped
+    system_msg = None
+    rest = messages
+    if messages[0].get('role') == 'system':
+        system_msg = messages[0]
+        rest = messages[1:]
+        budget -= _estimate_tokens(system_msg.get('content', ''))
     result = []
     total = 0
-    # Always keep the system message (first) and iterate from newest
-    for msg in reversed(messages):
+    for msg in reversed(rest):
         msg_tokens = _estimate_tokens(msg.get('content', ''))
         if total + msg_tokens > budget and result:
             break
         result.insert(0, msg)
         total += msg_tokens
+    if system_msg:
+        result.insert(0, system_msg)
     return result
 
 

web/blueprints/alert_rules.py

@@ -137,12 +137,14 @@ def api_alert_rules_evaluate():
             is_triggered = _compare(current_value, comp, threshold)
 
             if is_triggered:
-                # Check cooldown
+                # Check cooldown (CURRENT_TIMESTAMP stores UTC)
                 if rule['last_triggered']:
                     from datetime import datetime, timedelta
                     try:
                         last = datetime.fromisoformat(rule['last_triggered'])
-                        if datetime.now() - last < timedelta(minutes=rule['cooldown_minutes']):
+                        if last.tzinfo is not None:
+                            last = last.replace(tzinfo=None)
+                        if datetime.utcnow() - last < timedelta(minutes=rule['cooldown_minutes']):
                             continue  # Still in cooldown
                     except (ValueError, TypeError):
                         pass

web/blueprints/emergency.py

@@ -408,6 +408,20 @@ def api_rally_point_create(pid):
     if not name:
         return jsonify({'error': 'name is required'}), 400
 
+    # Validate coordinates if provided
+    lat = data.get('lat')
+    lng = data.get('lng')
+    if lat is not None or lng is not None:
+        try:
+            lat = float(lat) if lat is not None else None
+            lng = float(lng) if lng is not None else None
+        except (ValueError, TypeError):
+            return jsonify({'error': 'lat and lng must be numeric'}), 400
+        if lat is not None and not (-90 <= lat <= 90):
+            return jsonify({'error': 'lat must be -90..90'}), 400
+        if lng is not None and not (-180 <= lng <= 180):
+            return jsonify({'error': 'lng must be -180..180'}), 400
+
     with db_session() as db:
         plan = db.execute(
             'SELECT id FROM evac_plans WHERE id = ?', (pid,)
@@ -425,8 +439,8 @@ def api_rally_point_create(pid):
                 pid,
                 name,
                 data.get('location', ''),
-                data.get('lat'),
-                data.get('lng'),
+                lat,
+                lng,
                 data.get('point_type', 'assembly'),
                 int(data.get('sequence_order', 0)),
                 data.get('notes', ''),
@@ -451,6 +465,19 @@ def api_rally_point_update(rid):
     fields = {k: v for k, v in data.items() if k in allowed}
     if not fields:
         return jsonify({'error': 'no valid fields to update'}), 400
+    # Validate coordinates if provided
+    if 'lat' in fields or 'lng' in fields:
+        try:
+            if 'lat' in fields:
+                lat_val = float(fields['lat'])
+                if not (-90 <= lat_val <= 90):
+                    return jsonify({'error': 'lat must be -90..90'}), 400
+            if 'lng' in fields:
+                lng_val = float(fields['lng'])
+                if not (-180 <= lng_val <= 180):
+                    return jsonify({'error': 'lng must be -180..180'}), 400
+        except (ValueError, TypeError):
+            return jsonify({'error': 'lat and lng must be numeric'}), 400
 
     with db_session() as db:
         existing = db.execute(

web/blueprints/garden.py

@@ -1,5 +1,6 @@
 """Garden & agriculture routes."""
 
+import calendar
 import json
 import time
 from datetime import date, timedelta
@@ -684,7 +685,7 @@ def api_preservation_expiring():
             continue
         exp_year = batch.year + (batch.month + d['shelf_life_months'] - 1) // 12
         exp_month = (batch.month + d['shelf_life_months'] - 1) % 12 + 1
-        exp_day = min(batch.day, 28)
+        exp_day = min(batch.day, calendar.monthrange(exp_year, exp_month)[1])
         expiration = date(exp_year, exp_month, exp_day)
         if expiration <= threshold:
             d['expiration_date'] = expiration.isoformat()

web/blueprints/inventory.py

@@ -602,23 +602,27 @@ def api_inventory_import_csv():
         reader = csv.DictReader(io.StringIO(content))
         with db_session() as db:
             imported = 0
-            for row in reader:
-                name = row.get('Name', row.get('name', '')).strip()
-                if not name:
-                    continue
-                db.execute(
-                    'INSERT INTO inventory (name, category, quantity, unit, min_quantity, daily_usage, location, expiration, notes) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-                    (name, row.get('Category', row.get('category', 'other')),
-                     float(row.get('Quantity', row.get('quantity', 0)) or 0),
-                     row.get('Unit', row.get('unit', 'ea')),
-                     float(row.get('Min Qty', row.get('min_quantity', 0)) or 0),
-                     float(row.get('Daily Usage', row.get('daily_usage', 0)) or 0),
-                     row.get('Location', row.get('location', '')),
-                     row.get('Expiration', row.get('expiration', '')),
-                     row.get('Notes', row.get('notes', ''))))
-                imported += 1
+            errors = []
+            for i, row in enumerate(reader, 1):
+                try:
+                    name = row.get('Name', row.get('name', '')).strip()
+                    if not name:
+                        continue
+                    db.execute(
+                        'INSERT INTO inventory (name, category, quantity, unit, min_quantity, daily_usage, location, expiration, notes) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+                        (name, row.get('Category', row.get('category', 'other')),
+                         float(row.get('Quantity', row.get('quantity', 0)) or 0),
+                         row.get('Unit', row.get('unit', 'ea')),
+                         float(row.get('Min Qty', row.get('min_quantity', 0)) or 0),
+                         float(row.get('Daily Usage', row.get('daily_usage', 0)) or 0),
+                         row.get('Location', row.get('location', '')),
+                         row.get('Expiration', row.get('expiration', '')),
+                         row.get('Notes', row.get('notes', ''))))
+                    imported += 1
+                except Exception as e:
+                    errors.append(f'Row {i}: {str(e)}')
             db.commit()
-        return jsonify({'status': 'imported', 'count': imported})
+        return jsonify({'status': 'imported', 'count': imported, 'errors': errors})
     except Exception as e:
         log.exception('Inventory CSV import failed')
         return jsonify({'error': 'Import failed — check file format'}), 500

web/blueprints/maps.py

@@ -702,11 +702,18 @@ def api_waypoints_list():
 @maps_bp.route('/api/waypoints', methods=['POST'])
 def api_waypoints_create():
     data = request.get_json() or {}
+    try:
+        lat = float(data.get('lat', 0))
+        lng = float(data.get('lng', 0))
+    except (ValueError, TypeError):
+        return jsonify({'error': 'lat and lng must be numeric'}), 400
+    if not (-90 <= lat <= 90) or not (-180 <= lng <= 180):
+        return jsonify({'error': 'lat must be -90..90, lng must be -180..180'}), 400
     cat = data.get('category', 'general')
     color = WAYPOINT_COLORS.get(cat, '#9e9e9e')
     with db_session() as db:
         cur = db.execute('INSERT INTO waypoints (name, lat, lng, category, color, notes) VALUES (?, ?, ?, ?, ?, ?)',
-                         (data.get('name', 'Waypoint'), data.get('lat', 0), data.get('lng', 0),
+                         (data.get('name', 'Waypoint'), lat, lng,
                           cat, color, data.get('notes', '')))
         db.commit()
         row = db.execute('SELECT * FROM waypoints WHERE id = ?', (cur.lastrowid,)).fetchone()
@@ -729,6 +736,17 @@ def api_waypoint_update(wid):
     fields = {k: v for k, v in data.items() if k in allowed}
     if not fields:
         return jsonify({'error': 'No valid fields provided'}), 400
+    # Validate coordinates if provided
+    if 'lat' in fields or 'lng' in fields:
+        try:
+            lat = float(fields.get('lat', 0))
+            lng = float(fields.get('lng', 0))
+        except (ValueError, TypeError):
+            return jsonify({'error': 'lat and lng must be numeric'}), 400
+        if 'lat' in fields and not (-90 <= lat <= 90):
+            return jsonify({'error': 'lat must be -90..90'}), 400
+        if 'lng' in fields and not (-180 <= lng <= 180):
+            return jsonify({'error': 'lng must be -180..180'}), 400
     # Auto-set color when category changes
     if 'category' in fields:
         fields['color'] = WAYPOINT_COLORS.get(fields['category'], '#9e9e9e')

web/blueprints/medical.py

@@ -837,6 +837,9 @@ def api_triage_update(pid):
         if 'triage_category' in data:
             old_category = old_row['triage_category'] or ''
             new_category = data['triage_category']
+            valid_triage = {'immediate', 'delayed', 'minimal', 'expectant', 'unassigned', ''}
+            if new_category not in valid_triage:
+                return jsonify({'error': f'Invalid triage category. Must be one of: {", ".join(sorted(valid_triage - {""}))}'}), 400
             db.execute('UPDATE patients SET triage_category = ? WHERE id = ?', (new_category, pid))
             # Log to triage_history
             reason = data.get('reason', '')

web/blueprints/platform_security.py

@@ -4,6 +4,7 @@
 import json
 import logging
 import hashlib
+import os
 import secrets
 from datetime import datetime, timedelta
 
@@ -38,14 +39,42 @@
 
 # ─── Helpers ────────────────────────────────────────────────────────
 
+def _hash_credential(value):
+    """Hash a PIN or password using PBKDF2-SHA256 with random salt."""
+    salt = os.urandom(16)
+    h = hashlib.pbkdf2_hmac('sha256', value.encode(), salt, 100_000)
+    return f'pbkdf2${salt.hex()}${h.hex()}'
+
+
+def _verify_credential(value, stored_hash):
+    """Verify a PIN or password against a stored hash.
+    Supports PBKDF2 (preferred) and legacy plain SHA-256."""
+    if not value or not stored_hash:
+        return False
+    if stored_hash.startswith('pbkdf2$'):
+        parts = stored_hash.split('$')
+        if len(parts) != 3:
+            return False
+        salt = bytes.fromhex(parts[1])
+        h = hashlib.pbkdf2_hmac('sha256', value.encode(), salt, 100_000)
+        return h.hex() == parts[2]
+    # Legacy SHA-256 fallback
+    return hashlib.sha256(value.encode()).hexdigest() == stored_hash
+
+
+def _needs_rehash(stored_hash):
+    """Check if a hash uses the legacy format and needs upgrading."""
+    return bool(stored_hash) and not stored_hash.startswith('pbkdf2$')
+
+
 def _hash_pin(pin):
-    """Hash a PIN using SHA-256."""
-    return hashlib.sha256(pin.encode()).hexdigest()
+    """Hash a PIN using PBKDF2-SHA256."""
+    return _hash_credential(pin)
 
 
 def _verify_pin(pin, pin_hash):
     """Compare a plain PIN against a stored hash."""
-    return _hash_pin(pin) == pin_hash
+    return _verify_credential(pin, pin_hash)
 
 
 def _safe_user(row):
@@ -104,7 +133,7 @@ def users_create():
     pin = (data.get('pin') or '').strip()
     pin_hash = _hash_pin(pin) if pin else ''
     password = (data.get('password') or '').strip()
-    password_hash = hashlib.sha256(password.encode()).hexdigest() if password else ''
+    password_hash = _hash_credential(password) if password else ''
     permissions = json.dumps(data.get('permissions', []))
     settings = json.dumps(data.get('settings', {}))
     with db_session() as db:
@@ -173,7 +202,7 @@ def users_update(uid):
         password = (data['password'] or '').strip()
         if password:
             sets.append('password_hash = ?')
-            params.append(hashlib.sha256(password.encode()).hexdigest())
+            params.append(_hash_credential(password))
     if not sets:
         return jsonify({'error': 'no fields to update'}), 400
     sets.append("updated_at = datetime('now')")
@@ -259,7 +288,7 @@ def auth_login():
         if pin and user['pin_hash']:
             valid = _verify_pin(pin, user['pin_hash'])
         if not valid and password and user['password_hash']:
-            valid = hashlib.sha256(password.encode()).hexdigest() == user['password_hash']
+            valid = _verify_credential(password, user['password_hash'])
         if not valid:
             attempts = (user['failed_attempts'] or 0) + 1
             updates = {'failed_attempts': attempts}
@@ -280,6 +309,13 @@ def auth_login():
             log_activity('login_failed', service='platform_security',
                          detail=f'Failed login for {username} (attempt {attempts})')
             return jsonify({'error': 'invalid credentials'}), 401
+        # Transparently upgrade legacy SHA-256 hashes to PBKDF2
+        if pin and user['pin_hash'] and _needs_rehash(user['pin_hash']):
+            db.execute("UPDATE app_users SET pin_hash = ? WHERE id = ?",
+                       (_hash_credential(pin), user['id']))
+        if password and user['password_hash'] and _needs_rehash(user['password_hash']):
+            db.execute("UPDATE app_users SET password_hash = ? WHERE id = ?",
+                       (_hash_credential(password), user['id']))
         # Success — create session
         token = secrets.token_urlsafe(32)
         expires = (now + timedelta(hours=SESSION_TIMEOUT_HOURS)).strftime('%Y-%m-%dT%H:%M:%SZ')
@@ -385,9 +421,9 @@ def auth_change_password():
                 'SELECT password_hash FROM app_users WHERE id = ?', (sess['user_id'],)
             ).fetchone()
             if user and user['password_hash']:
-                if hashlib.sha256(current.encode()).hexdigest() != user['password_hash']:
+                if not _verify_credential(current, user['password_hash']):
                     return jsonify({'error': 'current password is incorrect'}), 401
-        new_hash = hashlib.sha256(new_password.encode()).hexdigest()
+        new_hash = _hash_credential(new_password)
         r = db.execute(
             "UPDATE app_users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?",
             (new_hash, sess['user_id'])

web/blueprints/tasks.py

@@ -1,5 +1,6 @@
 """Tasks, timers, watch-schedules, and sun routes."""
 
+import calendar
 import json
 import math
 import logging
@@ -189,7 +190,10 @@ def api_tasks_complete(task_id):
         elif rec == 'weekly':
             next_due = (base + timedelta(weeks=1)).strftime('%Y-%m-%d %H:%M:%S')
         elif rec == 'monthly':
-            next_due = (base + timedelta(days=30)).strftime('%Y-%m-%d %H:%M:%S')
+            y = base.year + (base.month // 12)
+            m = (base.month % 12) + 1
+            d = min(base.day, calendar.monthrange(y, m)[1])
+            next_due = base.replace(year=y, month=m, day=d).strftime('%Y-%m-%d %H:%M:%S')
         else:
             next_due = None  # one-time task stays completed
         db.execute('UPDATE scheduled_tasks SET completed_count = ?, last_completed = ?, next_due = ? WHERE id = ?',