Fix path traversal and hardcoded secrets in web server; modernize local scripts

[Copilot]

Description

Comprehensive code review identified 2 network-exposed vulnerabilities in hardware_database_server.py (binds to 0.0.0.0:5000) and opportunities to modernize local script patterns.

Security Fixes (Network-Exposed)

Path Traversal (Critical)

@app.route('/api/download/<hardware_id>')
def download_config(hardware_id):
    # Before: No validation, direct path construction
    profile_file = UPLOADS_PATH / f"{hardware_id}.json"
    
    # After: Validation + TOCTOU-resistant resolution
    if not re.match(r'^[a-zA-Z0-9_-]+$', hardware_id):
        return "Invalid hardware ID format", 400
    
    profile_file = profile_file.resolve()
    if not str(profile_file).startswith(str(UPLOADS_PATH.resolve())):
        return "Invalid file path", 400

Hardcoded SECRET_KEY

# Before: Hardcoded secret visible in repo
app.config['SECRET_KEY'] = 'phoenix_guard_hardware_db'

# After: Environment variable or secure random generation
app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', secrets.token_hex(32))

Code Modernization (Local Scripts)

Not exploitable (user already has shell access), but improves maintainability:

• scripts/uefi-tools/uuefi-apply.sh: eval "$*" → "$@" (predictable quoting)

• scripts/secure-boot/keys-centralize.sh: eval "$*" → "$@" (predictable quoting)

• scripts/validation/detect_bootkit.py: os.system() → subprocess.run() (modern API)

• scripts/recovery/autonuke.py: Added shlex.split(), default shell=False

• scripts/recovery/nuclear-wipe.sh: Extracted device validation to function (DRY)

• scripts/secure-boot/enable-secureboot-kexec.sh: Predictable path → mktemp

• scripts/secure-boot/enable-secureboot-kexec.sh: Fixed glob pattern in conditional

• Breaking change?

• Impacts security?

• Includes tests?

How This Was Tested

• CodeQL: 0 alerts
• Shellcheck: No critical errors
• Python syntax validation

Integration Instructions

Production deployments should set SECRET_KEY environment variable for web/hardware_database_server.py. Random key generated if unset (invalidates sessions on restart).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Full on review</issue_title>
<issue_description>For correctnes and posterity.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Full on review #137

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.