CR: netapi v0.4.0 Security Hardening

Change Summary

Change ID

CR-2026-03-25-netapi-security-hardening

Type

Security / Code Quality

Priority

P0 - Critical

Status

Completed

Requested

2026-03-25

Completed

2026-03-25

Owner

Evan Rosado

Background

After pushing netapi to GitHub, Dependabot identified 4 security vulnerabilities (2 HIGH, 1 MEDIUM, 1 LOW). As netapi is a "daily driver" P0 tool used for infrastructure automation, security vulnerabilities are unacceptable.

Additionally, the codebase lacked a unified exception hierarchy, making error handling inconsistent across 17+ vendor integrations.

Vulnerabilities Identified

Package Severity CVE Issue

cryptography ⇐46.0.4

HIGH

GHSA-xxxx

SECT curve subgroup attack

pyasn1 ⇐0.6.2

HIGH

GHSA-xxxx

DoS via unbounded recursion

requests <2.33.0

MEDIUM

GHSA-xxxx

Insecure temp file reuse

python-socketio <5.14.0

MEDIUM

GHSA-xxxx

RCE via pickle deserialization

Pygments ⇐2.19.2

LOW

GHSA-xxxx

ReDoS (no patch available)

Breaking Changes

Change Migration Path

genie/pyats removed from parsing extra

Install separately: pip install genie pyats (accepts security risk)

Files Modified

  • pyproject.toml - Dependency versions, removed genie/pyats

  • uv.lock - Regenerated with patched versions

  • netapi/primitives/exceptions.py - New unified hierarchy

  • netapi/vendors/pfsense/client.py - Bare except fix, inherit NetapiError

  • netapi/vendors/cisco/wlc/ssh_client.py - Inherit NetapiError

  • netapi/vendors/github/client.py - Inherit NetapiError

  • netapi/vendors/gitlab/client.py - Inherit NetapiError

  • netapi/vendors/gitea/client.py - Inherit NetapiError

  • netapi/vendors/cisco/ise/exceptions.py - NEW: Shared ISE exception hierarchy

  • netapi/vendors/cisco/ise/ers_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/mnt_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/openapi_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/pxgrid_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/saml_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/certs_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/backup_client.py - Import from shared exceptions

  • netapi/vendors/cisco/ise/dataconnect_client.py - Import from shared exceptions

  • netapi/vendors/cisco/firewall/asa_client.py - Inherit NetapiError

  • netapi/vendors/cisco/firewall/fmc_client.py - Inherit NetapiError

  • netapi/vendors/cisco/ios/client.py - Inherit NetapiError

  • netapi/vendors/cisco/ios/ssh_client.py - Inherit NetapiError

  • netapi/vendors/infoblox/client.py - Inherit NetapiError

  • netapi/vendors/keycloak/client.py - Inherit NetapiError

  • netapi/vendors/kvm/client.py - Inherit NetapiError

  • netapi/vendors/synology/client.py - Inherit NetapiError

Commits

Repository Commit

netapi

fix(security): Patch 4 Dependabot vulnerabilities

netapi

refactor: Migrate all vendor exceptions to unified NetapiError hierarchy

domus-captures

docs(netapi): v0.4.0 security fixes, 18 vendors, exception hierarchy

domus-netapi-docs

docs(changelog): Add v0.4.0 security fixes and exception hierarchy

Remaining Work

  1. Add unit tests for exception hierarchy

  2. Consider direnv for auto uv sync

Changelog

Date Author Change

2026-03-25

Evan Rosado

Initial CR created, security fixes completed

2026-03-25

Evan Rosado

All vendor exceptions migrated to NetapiError hierarchy (17/17)