Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python migration #1

Merged
merged 8 commits into from
Jul 29, 2024
Merged

Python migration #1

merged 8 commits into from
Jul 29, 2024

Conversation

kadraman
Copy link
Contributor

Migrating the application to use Python Flask.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@kadraman kadraman self-assigned this Jul 29, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 29, 2024
View reviewed changes
app/auth.py
if request.method == "POST":
username = request.form["username"]
password = request.form["password"]
print("logging in user {}:{}", username, password)

Check failure

Code scanning / Fortify on Demand

Privacy Violation

The file auth.py mishandles confidential information on line 92, which can compromise user privacy and is often illegal.Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal.
app/auth.py
if request.method == "POST":
username = request.form["username"]
password = request.form["password"]
print("logging in user {}:{}", username, password)

Check failure

Code scanning / Fortify on Demand

Privacy Violation

The file auth.py mishandles confidential information on line 92, which can compromise user privacy and is often illegal.Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal.
app/insecure.py
arguments = request.args.get('arguments')
home = os.getenv('APPHOME')
cmd = home.join(INITCMD).join(arguments)
os.system(cmd);

Check failure

Code scanning / Fortify on Demand

Command Injection

Line 50 in insecure.py calls system() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker.Executing commands from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.
app/insecure.py
return response

def source(script_path):
with open(script_path, 'r') as script_file:

Check failure

Code scanning / Fortify on Demand

Path Manipulation

Attackers can control the file system path argument to open() at insecure.py line 82, which allows them to access or modify otherwise protected files.Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.
app/products.py
products = db.execute(
"SELECT *"
" FROM products p"
" WHERE name LIKE '%%" + keywords + "%%'"

Check failure

Code scanning / Fortify on Demand

SQL Injection

Line 83 of products.py invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Constructing a dynamic SQL statement with input from an untrusted source might allow an attacker to modify the statement's meaning or execute arbitrary SQL commands.
app/auth.py
entries = []
entry = {'id': id, 'name': name, 'email': email, 'role' : role}
entries.append(entry)
json.dump(entries, f)

Check failure

Code scanning / Fortify on Demand

JSON Injection

On line 145 of auth.py, the method subscribe_user() writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.
app/auth.py
entries = []
entry = {'id': id, 'name': name, 'email': email, 'role' : role}
entries.append(entry)
json.dump(entries, f)

Check failure

Code scanning / Fortify on Demand

JSON Injection

On line 145 of auth.py, the method subscribe_user() writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.
app/auth.py
entries = []
entry = {'id': id, 'name': name, 'email': email, 'role' : role}
entries.append(entry)
json.dump(entries, f)

Check failure

Code scanning / Fortify on Demand

JSON Injection

On line 145 of auth.py, the method subscribe_user() writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call might allow an attacker to inject arbitrary elements or attributes into the JSON entity.
app/products.py
if not filename:
return 404
site_root = os.path.realpath(os.path.dirname(__file__))
return send_file(os.path.join(site_root, "static", "data", filename2))

Check failure

Code scanning / Fortify on Demand

Path Manipulation

Attackers can control the file system path argument to send_file() at products.py line 99, which allows them to access or modify otherwise protected files.Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources.
app/insecure.py
else:
template = request.form.get('template')
filename = request.form.get('filename')
t = Jinja2_Template(template)

Check failure

Code scanning / Fortify on Demand

Server-Side Template Injection

The call to __init__() in insecure.py on line 60 evaluates user-controlled data as a template engine's template, allowing attackers to access the template context and in some cases inject and run arbitrary code on the application server.User-controlled data is used as a template engine's template, allowing attackers to access the template context and in some cases inject and run arbitrary code on the application server.
@kadraman kadraman merged commit 61ff06d into main Jul 29, 2024
12 of 14 checks passed
kadraman
kadraman commented Jul 30, 2024
View reviewed changes
Copy link
Contributor Author

@kadraman kadraman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fortify vulnerability summary

New Issues

  • No new or re-introduced issues were detected

Removed Issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@kadraman kadraman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kadraman