fix: batch 34 — security + stability fixes in core infrastructure

SysAdminDoc · SysAdminDoc · commit b7f00d93223f · 2026-03-24T16:14:02.000-04:00
Security:
- validate_path() now blocks UNC/network paths (\server\share,
  //server/share) — prevents SSRF and NTLM hash leak on Windows.
  Checked both before and after os.path.normpath().
- ExtendScript startOpenCutBackend: sanitize registry-sourced
  exePath against batch command injection chars (&amp;|&lt;&gt;^%")

Job system stability:
- Stuck "running" jobs now auto-expire after 2 hours — prevents
  permanent TooManyJobsError when job threads crash silently
- proc.wait(5) after proc.kill() to reap zombie processes
- async_job decorator now stores thread handle in job dict
  (_thread was always None, preventing stuck thread detection)

ExtendScript:
- applyEditsToTimeline: projectItem in/out point reset is now
  guaranteed (needsReset flag tracks whether cleanup needed,
  reset block runs regardless of exceptions in insert loop)
diff --git a/Install.ps1 b/Install.ps1
@@ -155,7 +155,7 @@ Write-Host "  \___/| .__/ \___|_| |_|\____\__,_|\__|" -ForegroundColor Cyan
 Write-Host "       |_|                               " -ForegroundColor Cyan
 Write-Host ""
 Write-Host "  Open Source Video Editing Automation" -ForegroundColor DarkGray
-Write-Host "  Installer v1.5.5" -ForegroundColor DarkGray
+Write-Host "  Installer v1.5.6" -ForegroundColor DarkGray
 
 $isAdmin = Test-IsAdmin
 if ($isAdmin) {
diff --git a/OpenCut.iss b/OpenCut.iss
@@ -2,7 +2,7 @@
 ; Fully self-contained installer — bundles server exe, ffmpeg, and CEP extension
 
 #define MyAppName "OpenCut"
-#define MyAppVersion "1.5.5"
+#define MyAppVersion "1.5.6"
 #define MyAppPublisher "SysAdminDoc"
 #define MyAppURL "https://github.com/SysAdminDoc/OpenCut"
 
diff --git a/extension/com.opencut.panel/CSXS/manifest.xml b/extension/com.opencut.panel/CSXS/manifest.xml
@@ -2,11 +2,11 @@
 <ExtensionManifest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    Version="7.0"
                    ExtensionBundleId="com.opencut.panel"
-                   ExtensionBundleVersion="1.5.5"
+                   ExtensionBundleVersion="1.5.6"
                    ExtensionBundleName="OpenCut">
 
     <ExtensionList>
-        <Extension Id="com.opencut.panel.main" Version="1.5.5" />
+        <Extension Id="com.opencut.panel.main" Version="1.5.6" />
     </ExtensionList>
 
     <ExecutionEnvironment>
diff --git a/extension/com.opencut.panel/client/index.html b/extension/com.opencut.panel/client/index.html
@@ -2943,7 +2943,7 @@ <h1 class="content-title" id="contentTitle">Cut & Clean</h1>
                     <div class="card-header"><div class="card-title">About OpenCut</div></div>
                     <div class="settings-row">
                         <span class="settings-label">Version</span>
-                        <span class="settings-value">1.5.5</span>
+                        <span class="settings-value">1.5.6</span>
                     </div>
                     <div class="about-links">
                         <a href="https://github.com/SysAdminDoc/opencut" class="about-link" target="_blank">GitHub</a>
diff --git a/extension/com.opencut.panel/client/main.js b/extension/com.opencut.panel/client/main.js
@@ -1,5 +1,5 @@
 /* ============================================================
-   OpenCut CEP Panel - Main Controller v1.5.5
+   OpenCut CEP Panel - Main Controller v1.5.6
    6-Tab Professional Toolkit
    ============================================================ */
 (function () {
diff --git a/extension/com.opencut.panel/client/style.css b/extension/com.opencut.panel/client/style.css
@@ -1,5 +1,5 @@
 /* ============================================================
-   OpenCut CEP Panel v1.5.5 - ULTRA PREMIUM EDITION
+   OpenCut CEP Panel v1.5.6 - ULTRA PREMIUM EDITION
    Next-Generation AI Editing Suite for Adobe Premiere Pro
    ============================================================ */
 
diff --git a/extension/com.opencut.panel/host/index.jsx b/extension/com.opencut.panel/host/index.jsx
@@ -595,9 +595,11 @@ function applyEditsToTimeline(segmentsJson, mediaPath) {
 
         // Set the project item's in/out points to this segment
         // This controls what portion of the clip gets inserted
+        var needsReset = false;
         try {
             projectItem.setInPoint(segStart, 4);  // 4 = all media types
             projectItem.setOutPoint(segEnd, 4);
+            needsReset = true;
         } catch (e) {
             // If setInPoint/setOutPoint not available, skip this segment
             continue;
@@ -624,19 +626,15 @@ function applyEditsToTimeline(segmentsJson, mediaPath) {
         }
     }
 
-    // Reset the project item's in/out points so it appears normal in the project panel
+    // Always reset the project item's in/out points (even if loop threw)
     try {
         projectItem.clearInPoint(4);
         projectItem.clearOutPoint(4);
     } catch (e) {
-        // clearInPoint may not exist in all versions; try setting to extremes
         try {
             projectItem.setInPoint(0, 4);
-            // setOutPoint to a very large value to effectively clear it
-            projectItem.setOutPoint(86400, 4);  // 24 hours
-        } catch (e2) {
-            // Best effort -- don't fail the whole operation
-        }
+            projectItem.setOutPoint(86400, 4);
+        } catch (e2) {}
     }
 
     if (insertedCount === 0) {
@@ -1137,8 +1135,9 @@ function startOpenCutBackend() {
             bat.writeln("timeout /t 1 /nobreak >nul 2>&1");
 
             if (exePath) {
-                // Launch the installed exe
-                bat.writeln('"' + exePath + '"');
+                // Launch the installed exe (sanitize path against injection)
+                var safePath = exePath.replace(/[&|<>^%"]/g, "");
+                bat.writeln('"' + safePath + '"');
             } else {
                 // Fall back to python -m (dev mode)
                 var pythonCmds = ["python", "python3", "py"];
diff --git a/extension/com.opencut.uxp/index.html b/extension/com.opencut.uxp/index.html
@@ -16,7 +16,7 @@
           <path d="M4 2.5a3 3 0 00-1.76 5.43L7.33 11l-5.09 3.07A3 3 0 104.8 19.5a3 3 0 001.76-5.43L8.93 12.6 16.5 17V5L8.93 9.4 6.56 7.93A3 3 0 004 2.5z" fill="var(--accent)"/>
         </svg>
         <span class="oc-logo">OpenCut</span>
-        <span class="oc-version">v1.5.5</span>
+        <span class="oc-version">v1.5.6</span>
       </div>
       <div class="oc-header-right">
         <div class="oc-connection" id="connectionStatus" title="Backend connection status">
diff --git a/extension/com.opencut.uxp/main.js b/extension/com.opencut.uxp/main.js
@@ -23,7 +23,7 @@ const BACKEND_DEFAULT  = "http://127.0.0.1:5679";
 const BACKEND_MAX_PORT = 5689;
 const POLL_INTERVAL_MS = 1200;
 const HEALTH_CHECK_MS  = 8000;
-const VERSION          = "1.5.5";
+const VERSION          = "1.5.6";
 
 async function detectBackend() {
   // Try ports 5679-5689 like CEP panel does
diff --git a/extension/com.opencut.uxp/manifest.json b/extension/com.opencut.uxp/manifest.json
@@ -1,7 +1,7 @@
 {
   "id": "com.opencut.uxp",
   "name": "OpenCut UXP",
-  "version": "1.5.5",
+  "version": "1.5.6",
   "main": "index.html",
   "host": [
     {
diff --git a/install.py b/install.py
@@ -10,7 +10,7 @@
 import subprocess
 import platform
 
-VERS = "1.5.5"
+VERS = "1.5.6"
 CEP_EXT = "com.opencut.panel"
 WIN_CEP_DIR = os.path.expandvars(r"%APPDATA%\Adobe\CEP\extensions")
 MAC_CEP_DIR = os.path.expanduser("~/Library/Application Support/Adobe/CEP/extensions")
diff --git a/installer/src/OpenCut.Installer/Models/AppConstants.cs b/installer/src/OpenCut.Installer/Models/AppConstants.cs
@@ -3,7 +3,7 @@ namespace OpenCut.Installer.Models;
 public static class AppConstants
 {
     public const string AppName = "OpenCut";
-    public const string AppVersion = "1.5.5";
+    public const string AppVersion = "1.5.6";
     public const string AppDisplayName = $"{AppName} v{AppVersion}";
     public const string AppPublisher = "SysAdminDoc";
     public const string AppUrl = "https://github.com/SysAdminDoc/OpenCut";
diff --git a/installer/src/OpenCut.Installer/OpenCut.Installer.csproj b/installer/src/OpenCut.Installer/OpenCut.Installer.csproj
@@ -7,8 +7,8 @@
     <RootNamespace>OpenCut.Installer</RootNamespace>
     <AssemblyName>OpenCut-Setup</AssemblyName>
     <ApplicationIcon>Assets\logo.ico</ApplicationIcon>
-    <Version>1.5.5</Version>
-    <FileVersion>1.5.5.0</FileVersion>
+    <Version>1.5.6</Version>
+    <FileVersion>1.5.6.0</FileVersion>
     <AssemblyVersion>1.3.0.0</AssemblyVersion>
     <Company>SysAdminDoc</Company>
     <Product>OpenCut Installer</Product>
diff --git a/installer/src/OpenCut.Installer/Properties/app.manifest b/installer/src/OpenCut.Installer/Properties/app.manifest
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
-  <assemblyIdentity version="1.5.5.0" name="OpenCut.Installer" />
+  <assemblyIdentity version="1.5.6.0" name="OpenCut.Installer" />
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
     <security>
       <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
diff --git a/opencut/__init__.py b/opencut/__init__.py
@@ -5,6 +5,6 @@
 and more. Exports Premiere Pro / DaVinci Resolve / FCP XML.
 """
 
-__version__ = "1.5.5"
+__version__ = "1.5.6"
 __author__ = "OpenCut Contributors"
 __license__ = "MIT"
diff --git a/opencut/jobs.py b/opencut/jobs.py
@@ -150,12 +150,29 @@ def _kill_job_process(job_id: str):
             proc.kill()
         except OSError:
             pass
+        # Reap zombie process
+        try:
+            proc.wait(timeout=5)
+        except Exception:
+            pass
+
+
+_JOB_STUCK_TIMEOUT = 7200  # 2 hours — mark running jobs as error if stuck
 
 
 def _cleanup_old_jobs():
-    """Remove completed/errored jobs older than JOB_MAX_AGE."""
+    """Remove completed/errored jobs older than JOB_MAX_AGE.
+    Also mark stuck 'running' jobs as error after _JOB_STUCK_TIMEOUT."""
     now = time.time()
     with job_lock:
+        # Mark stuck running jobs as error
+        for jid, j in jobs.items():
+            if j["status"] == "running" and (now - j["created"]) > _JOB_STUCK_TIMEOUT:
+                j["status"] = "error"
+                j["error"] = "Job timed out (stuck for >2 hours)"
+                j["message"] = "Timed out"
+                logger.warning("Marking stuck job %s as error (created %.0fs ago)", jid, now - j["created"])
+        # Clean up old finished jobs
         expired = [
             jid for jid, j in jobs.items()
             if j["status"] in ("complete", "error", "cancelled")
@@ -215,7 +232,11 @@ def _process():
                                 message=f"Error: {e}")
 
             import threading as _t
-            _t.Thread(target=_process, daemon=True).start()
+            thread = _t.Thread(target=_process, daemon=True)
+            thread.start()
+            with job_lock:
+                if job_id in jobs:
+                    jobs[job_id]["_thread"] = thread
             return jsonify({"job_id": job_id})
         return wrapper
     return decorator
diff --git a/opencut/security.py b/opencut/security.py
@@ -76,8 +76,15 @@ def validate_path(path: str, allowed_base: str = None) -> str:
     if "\x00" in path:
         raise ValueError("Null byte in path")
 
+    # Block UNC/network paths (SSRF/NTLM hash leak risk)
+    if path.startswith("\\\\") or path.startswith("//"):
+        raise ValueError("UNC/network paths are not allowed")
+
     # Normalise and block .. components
     normed = os.path.normpath(path)
+    # Re-check after normpath (could produce UNC from edge cases)
+    if normed.startswith("\\\\") or normed.startswith("//"):
+        raise ValueError("UNC/network paths are not allowed")
     parts = normed.replace("\\", "/").split("/")
     if ".." in parts:
         raise ValueError("Path traversal blocked")
diff --git a/opencut/server.py b/opencut/server.py
@@ -556,7 +556,7 @@ def run_server(host="127.0.0.1", port=5679, debug=False):
     atexit.register(_remove_pid)
 
     print("")
-    print("  OpenCut Backend Server v1.5.5")
+    print("  OpenCut Backend Server v1.5.6")
     print(f"  Listening on http://{host}:{effective_port}")
     print(f"  PID: {os.getpid()}")
     print(f"  Log file: {LOG_FILE}")
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "opencut"
-version = "1.5.5"
+version = "1.5.6"
 description = "Open-source AI video editing automation for Adobe Premiere Pro - captions, audio processing, visual effects, and more"
 readme = "README.md"
 license = {text = "MIT"}
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-# OpenCut v1.5.5 Requirements
+# OpenCut v1.5.6 Requirements
 # Install: pip install -r requirements.txt
 # For GPU: pip install torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cu121
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"id": "com.opencut.uxp",`
`3`	`3`	`"name": "OpenCut UXP",`
`4`		`- "version": "1.5.5",`
	`4`	`+ "version": "1.5.6",`
`5`	`5`	`"main": "index.html",`
`6`	`6`	`"host": [`
`7`	`7`	`{`