Python library for SecureDrop Workstation filesystem operations

[sssoleileraaa]

Description

See freedomofpress/securedrop-export#69 and #1226 where we introduced semgrep, custom rules, and some safety functions for file system operations in utils.py. This code is useful across projects so we should create a new library called securedrop-path or securedrop-safety or something that works for functions such as:

• safe_mkdir
• safe_extract
• safe_decrypt

This will also help standardize the way we create and cleanup files (which can be confusing, see #1228).

[eloquence]

@creviera has offered to take a first stab at a spike to implement such a library, with the goal to prepare a draft PR for broader input as part of the 5/5-5/19 sprint.

[sssoleileraaa]

I didn't get as far as opening a draft PR because of the security issue that came up during the sprint, but I have something started:

I propose we name the new module securedrop-pathlib. Once we agree on that, I can create a new repo and work with infra to set this up. Until then I'm working on fixing up tests, moving code around, and getting things to just work here: https://github.com/creviera/securedrop-pathlib. You can install securedrop-pathlib in the client virtualenv on this test branch by following these steps:

pip uninstall securedrop-pathlib
pip install git+https://github.com/creviera/securedrop-pathlib@master#egg=securedrop-pathlib

[eloquence]

For this sprint, @creviera wants to

• clarify setup docs in the README
• publish the package on pypi
• start using it in securedrop-client and securedrop-export

Going forward, issues will be tracked in the https://github.com/freedomofpress/secure-fs/ repo.