Add secure API method resolution system

MarkoVcode · claude · MarkoVcode · commit 522d1f271528 · 2025-10-13T23:18:45.000+01:00
Implement strict HTTP verb-based method resolution that prevents arbitrary method execution on driver objects. GET requests now only resolve to query_* methods, POST requests only to set_*methods. This security measure protects against accessing private methods or unintended driver functionality via API. Updated frontend components to use partial method names (e.g., "voltage" instead of "query_voltage") which the API automatically resolves based on HTTP verb. Added comprehensive test coverage for the new resolution system. Documentation updated with security features and naming conventions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.claude/commands/push-changes.md b/.claude/commands/push-changes.md
@@ -0,0 +1,33 @@
+Commit all changes and push to current branch.
+
+Follow these steps:
+
+1. Run `git status` and `git diff` (both staged and unstaged) to understand all changes
+2. Run `git log -1 --format='%s'` to see the last commit message style
+3. Analyze the changes and generate a concise, descriptive commit message that:
+   - Summarizes the nature of changes (feature, fix, refactor, docs, etc.)
+   - Focuses on the "what" and "why" rather than implementation details
+   - Uses imperative mood (e.g., "Add feature" not "Added feature")
+   - Keeps the first line under 72 characters
+   - Follows the repository's commit message style
+4. Stage all changes with `git add .`
+5. Create the commit with the generated message, including the Claude Code attribution:
+   ```
+   git commit -m "$(cat <<'EOF'
+   [Your generated commit message here]
+
+   🤖 Generated with [Claude Code](https://claude.com/claude-code)
+
+   Co-Authored-By: Claude <noreply@anthropic.com>
+   EOF
+   )"
+   ```
+6. Push to the current branch with `git push`
+7. Display the commit SHA and summary of what was pushed
+
+IMPORTANT:
+- Do NOT commit if there are no changes (check git status first)
+- Do NOT push if the repository is not connected to a remote
+- If pre-commit hooks modify files, check if amend is safe before using --amend
+- Never use --force or --force-with-lease
+- If push fails, display the error and ask user how to proceed
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -130,6 +130,31 @@ GitHub Actions runs on all branches and PRs:
 - Backend tests: `pytest benchmesh-serial-service/tests`
 - Frontend tests: `npx vitest run --reporter=dot`
 
+## API Naming Convention & Security
+
+The API implements a **secure method resolution system** that prevents arbitrary method execution:
+
+### GET Requests (Query)
+Partial method names are **strictly** resolved to `query_*` methods only:
+- `GET /instruments/PSU/device-1/1/voltage` → calls `driver.query_voltage(1)`
+- `GET /instruments/DMM/device-2/1/current` → calls `driver.query_current(1)`
+
+### POST Requests (Set)
+Partial method names are **strictly** resolved to `set_*` methods only:
+- `POST /instruments/PSU/device-1/1/current/2.5` → calls `driver.set_current(1, 2.5)`
+- `POST /instruments/ELL/device-3/1/mode/CURR` → calls `driver.set_mode(1, "CURR")`
+
+### Security Features
+1. **No Arbitrary Method Execution**: Only methods with `query_` or `set_` prefixes can be called via API
+2. **No Private Method Access**: Methods like `_internal_method()` or `__init__()` cannot be accessed
+3. **HTTP Verb Enforcement**: GET only allows query methods, POST only allows set methods
+4. **Protection Against Mistakes**: Cannot accidentally call setters with GET or queries with POST
+
+**Example of what is NOT allowed (security protection):**
+- `GET /instruments/PSU/device-1/1/poll_status` → **Rejected** (no query_poll_status)
+- `POST /instruments/PSU/device-1/1/_private_method/value` → **Rejected** (private method)
+- `GET /instruments/PSU/device-1/1/set_voltage` → **Rejected** (setter on GET request)
+
 ## Configuration System
 
 Devices are defined in `config.yaml` (YAML v1 schema):
@@ -160,12 +185,19 @@ Manifest aliases in `serial_manager.py` and `manifest_resolver.py` map legacy dr
 2. Create `driver.py` with a class exposing:
    - `query_identify()` → returns IDN string
    - `poll_status()` → returns status dict
-   - Device-specific control methods
+   - Device-specific control methods following naming convention:
+     - Read methods: `query_voltage()`, `query_current()`, `query_status()`, etc.
+     - Write methods: `set_voltage()`, `set_current()`, `set_mode()`, etc.
 3. Create `manifest.json` defining models, classes, polling config, and EOL characters
 4. Update `drivers/classes.json` if adding new 3-letter class codes
 5. Add driver instantiation logic to `driver_factory.py` if needed
 6. Create tests in `tests/` using pytest and mock serial communication
 
+**Driver Naming Convention:**
+- **Query methods** (read): prefix with `query_` (e.g., `query_voltage`, `query_current`)
+- **Setter methods** (write): prefix with `set_` (e.g., `set_voltage`, `set_current`)
+- This enables the API's smart resolution: GET `/voltage` → `query_voltage()`, POST `/current/2.5` → `set_current()`
+
 Driver should accept `transport: SerialTransport` in constructor and use it for all communication.
 
 ## Key Modules
@@ -176,7 +208,9 @@ Driver should accept `transport: SerialTransport` in constructor and use it for
 - `poll_worker.py`: DeviceWorker runs per-device polling loop in dedicated thread
 - `registry.py`: DeviceRegistry thread-safe storage for device IDN and status
 - `transport.py`: SerialTransport wraps pyserial with EOL handling
-- `api.py`: FastAPI app with endpoints `/status`, `/instruments`, `/api/call`, and WebSocket `/ws`
+- `api.py`: FastAPI app with endpoints `/status`, `/instruments`, instrument control endpoints, and WebSocket `/ws`
+  - Implements **secure** method resolution: GET requests resolve `voltage` → `query_voltage`, POST requests resolve `current` → `set_current`
+  - Prevents arbitrary method execution - only `query_*` and `set_*` methods can be called via API
 - `connection.py`: DeviceConnection tracks connection state per device
 - `reconnect.py`: ReconnectPolicy implements backoff strategy
 
diff --git a/benchmesh-serial-service/frontend/src/ui/classes/DMM/GenericDMM.tsx b/benchmesh-serial-service/frontend/src/ui/classes/DMM/GenericDMM.tsx
@@ -137,7 +137,8 @@ export function GenericDMM({ channelPath, registry }: { channelPath?: string, re
     setBusy(true)
     try {
       const ch = channel || '1'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_mode
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
     } catch (err) {
       console.debug('Mode change failed', err)
     } finally {
diff --git a/benchmesh-serial-service/frontend/src/ui/classes/ELL/GenericELL.tsx b/benchmesh-serial-service/frontend/src/ui/classes/ELL/GenericELL.tsx
@@ -84,7 +84,7 @@ export function GenericELL({ channelPath, registry }: { channelPath?: string, re
     const k = klass || 'ELL'
     const did = deviceId || '{id}'
     const ch = channel || '1'
-    return `/instruments/${k}/${did}/${ch}/set_mode/{value}`
+    return `/instruments/${k}/${did}/${ch}/mode/{value}`
   }, [klass, deviceId, channel])
 
   const handleModeChange = async (newMode: string) => {
@@ -93,7 +93,8 @@ export function GenericELL({ channelPath, registry }: { channelPath?: string, re
     setBusy(true)
     try {
       const ch = channel || '1'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_mode
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
     } catch (err) {
       console.debug('Mode change failed', err)
     } finally {
@@ -108,7 +109,8 @@ export function GenericELL({ channelPath, registry }: { channelPath?: string, re
       const ch = channel || '1'
       const next = !inputEnabled
       const cmd = next ? 'ON' : 'OFF'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_input/${cmd}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_input
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/input/${cmd}`, { method: 'POST' })
       setInputEnabled(next)
     } catch (err) {
       console.debug('Input toggle failed', err)
@@ -149,7 +151,7 @@ export function GenericELL({ channelPath, registry }: { channelPath?: string, re
               className={`psu-set psu-output ${inputEnabled ? 'danger' : ''}`}
               style={{ width: '100%', padding: '8px 12px', fontSize: '12px' }}
               onClick={handleInputToggle}
-              title={`POST ${apiBase}/instruments/${klass || 'ELL'}/${deviceId || '{id}'}/${channel || '1'}/set_input/${inputEnabled ? 'OFF' : 'ON'}`}
+              title={`POST ${apiBase}/instruments/${klass || 'ELL'}/${deviceId || '{id}'}/${channel || '1'}/input/${inputEnabled ? 'OFF' : 'ON'}`}
             >
               {busyInput ? (<><span className="spinner"/>{inputEnabled ? 'DISABLE INPUT' : 'ENABLE INPUT'}</>) : (inputEnabled ? 'DISABLE INPUT' : 'ENABLE INPUT')}
             </button>
diff --git a/benchmesh-serial-service/frontend/src/ui/classes/ELL/OwonOELELL.tsx b/benchmesh-serial-service/frontend/src/ui/classes/ELL/OwonOELELL.tsx
@@ -31,7 +31,8 @@ export function OwonOELELL({ channelPath, registry }: { channelPath?: string, re
     try {
       const ch = channel || '1'
       const modeKeyLower = modeKey.toLowerCase()
-      const url = `${apiBase}/instruments/${klass}/${deviceId}/${ch}/query_${modeKeyLower}`
+      // Use partial name - API will resolve to query_{mode}
+      const url = `${apiBase}/instruments/${klass}/${deviceId}/${ch}/${modeKeyLower}`
       const resp = await fetch(url)
       if (!resp.ok) return
 
@@ -166,7 +167,8 @@ export function OwonOELELL({ channelPath, registry }: { channelPath?: string, re
     setBusy(true)
     try {
       const ch = channel || '1'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_mode
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/mode/${encodeURIComponent(newMode)}`, { method: 'POST' })
 
       // After mode change, fetch the current setpoint value for this mode
       // Only fetch if the new mode has a setpoint definition (not DYN)
@@ -187,7 +189,8 @@ export function OwonOELELL({ channelPath, registry }: { channelPath?: string, re
       const ch = channel || '1'
       const next = !inputEnabled
       const cmd = next ? 'ON' : 'OFF'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_input/${cmd}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_input
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/input/${cmd}`, { method: 'POST' })
       // Don't optimistically set state - wait for WebSocket update
     } catch (err) {
       console.debug('Input toggle failed', err)
@@ -203,7 +206,8 @@ export function OwonOELELL({ channelPath, registry }: { channelPath?: string, re
       const ch = channel || '1'
       const next = !remoteMode
       const cmd = next ? 'ON' : 'OFF'
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_remote/${cmd}`, { method: 'POST' })
+      // Use partial name - API will resolve to set_remote
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/remote/${cmd}`, { method: 'POST' })
       // Don't optimistically set state - wait for WebSocket update
     } catch (err) {
       console.debug('Remote toggle failed', err)
@@ -227,8 +231,9 @@ export function OwonOELELL({ channelPath, registry }: { channelPath?: string, re
     try {
       const ch = channel || '1'
       // Convert mode to lowercase (CURR -> curr, VOLT -> volt, RES -> res, POW -> pow)
+      // Use partial name - API will resolve to set_{mode}
       const modeKey = mode.toLowerCase()
-      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/set_${modeKey}/${numVal}`, { method: 'POST' })
+      await fetch(`${apiBase}/instruments/${klass}/${deviceId}/${ch}/${modeKey}/${numVal}`, { method: 'POST' })
     } catch (err) {
       console.debug('Setpoint set failed', err)
     } finally {
diff --git a/benchmesh-serial-service/frontend/src/ui/classes/PSU/GenericPSU.tsx b/benchmesh-serial-service/frontend/src/ui/classes/PSU/GenericPSU.tsx
@@ -115,11 +115,12 @@ export function GenericPSU({ channelPath, registry }: { channelPath?: string, re
             try {
               const next = !outputEnabled
               const cmd = next ? 'ON' : 'OFF'
-              await fetch(`${apiBase}${channelPath}/set_output/${cmd}`, { method: 'POST' })
+              // Use partial name - API will resolve to set_output
+              await fetch(`${apiBase}${channelPath}/output/${cmd}`, { method: 'POST' })
               setOutputEnabled(next)
             } catch {} finally { setBusyOutput(false) }
           }}
-          title={`POST ${channelPath}/set_output/${outputEnabled ? 'OFF' : 'ON'}`}
+          title={`POST ${channelPath}/output/${outputEnabled ? 'OFF' : 'ON'}`}
         >
           {busyOutput ? (<><span className="spinner"/>{outputEnabled ? 'DISABLE OUTPUT' : 'ENABLE OUTPUT'}</>) : (outputEnabled ? 'DISABLE OUTPUT' : 'ENABLE OUTPUT')}
         </button>
diff --git a/benchmesh-serial-service/src/benchmesh_service/api.py b/benchmesh-serial-service/src/benchmesh_service/api.py
@@ -145,6 +145,51 @@ def _get_driver_or_error(device_id: str):
     return drv
 
 
+def _resolve_method_name(driver: Any, partial_name: str, http_method: str) -> str:
+    """
+    Resolve partial method names to full driver method names based on HTTP verb.
+
+    For GET requests: ONLY allows "query_{name}" pattern
+    For POST requests: ONLY allows "set_{name}" pattern
+
+    This security measure prevents arbitrary method execution on driver objects,
+    including private methods or methods not intended for API exposure.
+
+    Args:
+        driver: The driver instance
+        partial_name: The partial method name (e.g., "voltage", "current")
+        http_method: The HTTP method ("GET" or "POST")
+
+    Returns:
+        The resolved method name that exists on the driver
+
+    Raises:
+        HTTPException: If no valid method is found
+    """
+    # Determine the required prefix based on HTTP method
+    if http_method == "GET":
+        prefixed = f"query_{partial_name}"
+    elif http_method == "POST":
+        prefixed = f"set_{partial_name}"
+    else:
+        raise HTTPException(
+            status_code=400,
+            detail=f"Unsupported HTTP method: {http_method}"
+        )
+
+    # Only allow the prefixed version - no arbitrary method calls
+    if hasattr(driver, prefixed) and callable(getattr(driver, prefixed)):
+        return prefixed
+
+    # Method not found
+    raise HTTPException(
+        status_code=400,
+        detail=f"Method '{prefixed}' not found on driver. " +
+               f"Driver must implement {http_method.lower()} methods with appropriate prefix " +
+               f"('query_' for GET, 'set_' for POST)"
+    )
+
+
 @app.get("/", include_in_schema=False)
 def root():
     # If static UI is mounted, redirect there. Otherwise, assume dev server on 52893.
@@ -422,14 +467,15 @@ def call_driver_get(klass: str, device_id: str, channel: str, method: str):
         raise HTTPException(status_code=404, detail="Unknown device id")
 
     drv = _get_driver_or_error(device_id)
-    if not hasattr(drv, method) or not callable(getattr(drv, method)):
-        raise HTTPException(status_code=400, detail="Unknown or non-callable driver method")
+
+    # Resolve method name (e.g., "voltage" -> "query_voltage")
+    resolved_method = _resolve_method_name(drv, method, "GET")
 
     # Execute under device lock to avoid races with polling
     lock = _manager.dev_locks.get(device_id) if _manager else None
     import inspect
     ch = int(channel)
-    func = getattr(drv, method)
+    func = getattr(drv, resolved_method)
     try:
         if lock:
             with lock:
@@ -467,13 +513,14 @@ def call_driver_post(klass: str, device_id: str, channel: str, method: str, para
         raise HTTPException(status_code=404, detail="Unknown device id")
 
     drv = _get_driver_or_error(device_id)
-    if not hasattr(drv, method) or not callable(getattr(drv, method)):
-        raise HTTPException(status_code=400, detail="Unknown or non-callable driver method")
+
+    # Resolve method name (e.g., "current" -> "set_current")
+    resolved_method = _resolve_method_name(drv, method, "POST")
 
     import inspect
     arg = _coerce_arg(param)
     ch = int(channel)
-    func = getattr(drv, method)
+    func = getattr(drv, resolved_method)
 
     lock = _manager.dev_locks.get(device_id) if _manager else None
     try:
diff --git a/benchmesh-serial-service/tests/test_api_instruments.py b/benchmesh-serial-service/tests/test_api_instruments.py
@@ -17,8 +17,8 @@ def __init__(self):
         self.calls = []
         self.last_arg = None
 
-    def identify(self):
-        self.calls.append(("identify", ()))
+    def query_identify(self):
+        self.calls.append(("query_identify", ()))
         return "FAKE,IDN"
 
     def set_output(self, ch, v):
@@ -54,18 +54,20 @@ def client_with_fake_mgr(monkeypatch):
 
 def test_get_instrument_method_success(client_with_fake_mgr):
     client, fake = client_with_fake_mgr
+    # Use partial name - API will resolve to query_identify
     path = "/instruments/PSU/tenmapsu-1/1/identify"
     r = client.get(path)
     assert r.status_code == 200
     body = r.json()
     assert body["path"] == path
     assert body["value"] == "FAKE,IDN"
-    assert ("identify", ()) in fake.connections["tenmapsu-1"].calls
+    assert ("query_identify", ()) in fake.connections["tenmapsu-1"].calls
 
 
 def test_post_instrument_method_success_with_param(client_with_fake_mgr):
     client, fake = client_with_fake_mgr
-    r = client.post("/instruments/PSU/tenmapsu-1/1/set_output/true")
+    # Use partial name - API will resolve to set_output
+    r = client.post("/instruments/PSU/tenmapsu-1/1/output/true")
     assert r.status_code == 204
     drv = fake.connections["tenmapsu-1"]
     assert drv.last_arg is True
@@ -95,8 +97,9 @@ def test_method_exception_returns_400(monkeypatch):
     fake = FakeManager()
     # Replace driver with one that raises
     fake.connections["tenmapsu-1"] = FakeDriver()
-    setattr(fake.connections["tenmapsu-1"], "identify", fake.connections["tenmapsu-1"].blow_up)
+    setattr(fake.connections["tenmapsu-1"], "query_identify", fake.connections["tenmapsu-1"].blow_up)
     monkeypatch.setattr(api, "_make_manager", lambda: fake)
     with TestClient(api.app) as client:
+        # Use partial name - API will resolve to query_identify
         r = client.get("/instruments/PSU/tenmapsu-1/1/identify")
         assert r.status_code == 400
diff --git a/benchmesh-serial-service/tests/test_api_method_resolver.py b/benchmesh-serial-service/tests/test_api_method_resolver.py
