[Security] Align Python YouTube boundary and redact downloader errors

[seonghobae]

현재 역할

• 직무 / O0: app-security hardening
• 업무 / O1: YouTube URL and subprocess error boundary alignment
• 과업 / O2~O3: make Python analysis-engine URL acceptance and error reporting match stricter React/Tauri policy
• 작업 / O4~O7: tests, implementation, PR gates, post-merge verification

현재 상태

React and Tauri restrict YouTube URLs more tightly than the Python analysis engine. Python currently accepts broader *.youtube.com hosts and can return raw downloader exception text through Tauri IPC to the UI.

Root cause

The Python boundary has drifted from the frontend/native allowlist and surfaces raw exception strings from a network-facing downloader/subprocess path.

다음 액션

• Restrict Python hosts to youtube.com, www.youtube.com, and youtu.be.
• Enforce 11-character video IDs and reject duplicate or malformed v params.
• Replace raw downloader exception propagation with fixed safe user-facing messages.
• Add tests asserting unsupported hosts and raw sensitive strings are rejected/redacted.

완료 조건

• services/analysis-engine/tests/test_youtube.py covers host allowlist, ID validation, duplicate params, restricted-content fallback, and raw error redaction.
• Targeted pytest and security gates pass.
• PR includes Security Notes for URL intake, subprocess, IPC, and logging/privacy boundaries.

Related

• Parent program: [Program] v0.1.4 residual security, warning, and brand-design follow-through #203
• Adjacent blocker/tracker: [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 is separate and upstream-owned; this issue is repo-owned runtime app security.

Security Notes

• Attack surface: YouTube URL intake, yt-dlp subprocess, Tauri IPC result propagation, user-visible import errors.
• Trust boundary: untrusted remote URL and metadata cross React, Tauri, Python subprocess, and back to React.
• Mitigations: strict allowlist, 11-character ID validation, safe fixed error messages, no raw exception propagation.
• Remaining risk: yt-dlp remains network-facing and covered by dependency/security gates.
• Test points: malformed URL rejection, unsupported host rejection, duplicate v rejection, raw exception redaction.

[coderabbitai]

🔗 Related PRs

#53 - feat: add local analysis orchestration [merged]
#90 - feat: implement policy-constrained YouTube import (#30) [merged]
#96 - chore(security): resolve OSSF Scorecard alerts [merged]
#100 - fix(security): tighten YouTube URL validation to block redirect endpoints [merged]
#197 - Close Rust advisory owner-chain gaps [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!