Skip to content

Security hardening, code cleanup, and dynamic currency list for currency_converter#31

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/review-code-for-efficacy-security
Draft

Security hardening, code cleanup, and dynamic currency list for currency_converter#31
Copilot wants to merge 2 commits intomainfrom
copilot/review-code-for-efficacy-security

Conversation

Copy link
Copy Markdown

Copilot AI commented May 5, 2026
edited
Loading

The rates feed was fetched over plain HTTP with no timeout and no status check before writing to disk, leaving the plugin vulnerable to MITM rate substitution and silent XML corruption on server errors. Additionally, the currency list was hardcoded and could fall out of sync with the ECB's actual published currencies.

Security

  • HTTP → HTTPS on ratesURL
  • timeout=10 on requests.get() — prevents indefinite UI thread blocking
  • r.raise_for_status() before file write — a 4xx/5xx response no longer silently overwrites the cached XML; the existing HTTPError handler catches it
# Before
r = requests.get(self.ratesURL)
with open(xmlfile, "wb") as file:
    file.write(r.content)

# After
r = requests.get(self.ratesURL, timeout=10)
r.raise_for_status()
with open(xmlfile, "wb") as file:
    file.write(r.content)

Dynamic currency list

  • __init__ now builds self.CURRENCIES from the cached eurofxref-daily.xml — the list stays in sync with the ECB's actual published currencies without any per-keystroke overhead, since the parse happens once at plugin startup
  • EUR is appended explicitly — it is the ECB base currency and is not listed as an entry in the XML
  • Graceful fallback — if no XML file exists yet (first run) or parsing fails, the hardcoded class-level CURRENCIES list is used silently and a warning is logged

Code quality

  • Removed duplicate import decimal
  • Removed no-op "{}".format(attrib) calls in populate_rates — XML attribs are already strings
  • Replaced [f"{x}" for x in hint] list comprehension with direct ", ".join(hint)
  • Removed dead else: pass at end of query()
  • Initialised sourcerate = 1 alongside destrate in currconv — previously an unexpected loop exit would raise UnboundLocalError

@deefrawley
Copy link
Copy Markdown
Owner

deefrawley commented May 5, 2026

@copilot add change for dynamic sourcing of currency types in init

Copy link
Copy Markdown
Author

Copilot AI commented May 5, 2026

@copilot add change for dynamic sourcing of currency types in init

Done in e2e9138. __init__ now parses the cached eurofxref-daily.xml (if present) once at startup and sets self.CURRENCIES from the actual ECB data, with EUR appended since it's the base currency and not listed in the XML. The hardcoded class-level list remains as a silent fallback for the very first run before any file has been downloaded, and a try/except ensures a corrupt XML file just logs a warning and falls back to defaults rather than crashing.

Copilot AI changed the title Security hardening and code cleanup for currency_converter Security hardening, code cleanup, and dynamic currency list for currency_converter May 5, 2026
Copilot AI requested a review from deefrawley May 5, 2026 04:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deefrawley deefrawley Awaiting requested review from deefrawley

Assignees

@deefrawley deefrawley

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deefrawley