From 2e7193bbe551bba241b90dd4a83bc74dc22f0f77 Mon Sep 17 00:00:00 2001 From: Maneesh-Relanto Date: Mon, 23 Feb 2026 12:49:37 +0530 Subject: [PATCH] fix: resolve CodeQL security alerts in flask-blog-api Fixes GitHub security issues #115, #116, #117 flagged by CodeQL: - fix(app.py): replace hardcoded debug=True with app.config.get('DEBUG', False) Debug mode is now driven by config/FLASK_DEBUG env var instead of being unconditionally enabled, preventing the interactive Werkzeug debugger from running in non-development environments (#115). - fix(auth.py): do not expose jwt.InvalidTokenError message in HTTP response Replaced str(e) with a static 'Token is invalid' message to avoid leaking internal JWT library error details to clients (#116). - fix(decorators.py): do not expose exception detail in authorization error response Added logging import and logger; internal exception info is now logged server-side (with exc_info) and a generic message is returned to the client instead of str(e) (#117). --- test-apps/02-flask-blog-api/app.py | 4 +++- test-apps/02-flask-blog-api/auth.py | 5 +++-- test-apps/02-flask-blog-api/decorators.py | 7 ++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/test-apps/02-flask-blog-api/app.py b/test-apps/02-flask-blog-api/app.py index e20a9d7..302ed24 100644 --- a/test-apps/02-flask-blog-api/app.py +++ b/test-apps/02-flask-blog-api/app.py @@ -637,4 +637,6 @@ def setup_rbac(rbac: RBAC): ║ ║ ╚════════════════════════════════════════════════╝ """) - app.run(debug=True, host='0.0.0.0', port=5000) + # Use debug flag from app config (controlled via FLASK_DEBUG env var) rather than + # hardcoding debug=True, which would enable the interactive debugger in production. + app.run(debug=app.config.get('DEBUG', False), host='0.0.0.0', port=5000) diff --git a/test-apps/02-flask-blog-api/auth.py b/test-apps/02-flask-blog-api/auth.py index 862f939..903d8c7 100644 --- a/test-apps/02-flask-blog-api/auth.py +++ b/test-apps/02-flask-blog-api/auth.py @@ -109,10 +109,11 @@ def decorated_function(*args, **kwargs): 'message': 'Please login again' }), 401 - except jwt.InvalidTokenError as e: + except jwt.InvalidTokenError: + # Do not expose internal JWT error details to the client return jsonify({ 'error': 'Invalid token', - 'message': str(e) + 'message': 'Token is invalid' }), 401 return decorated_function diff --git a/test-apps/02-flask-blog-api/decorators.py b/test-apps/02-flask-blog-api/decorators.py index ea31f0b..21692d4 100644 --- a/test-apps/02-flask-blog-api/decorators.py +++ b/test-apps/02-flask-blog-api/decorators.py @@ -2,10 +2,13 @@ RBAC Decorators for Flask Blog API. Provides decorators for permission and role-based authorization. """ +import logging from functools import wraps from flask import g, jsonify from auth import get_current_user +logger = logging.getLogger(__name__) + def require_permission(action: str, resource_type: str = None, check_ownership: bool = False): """ @@ -110,9 +113,11 @@ def decorated_function(*args, **kwargs): return f(*args, **kwargs) except Exception as e: + # Log the full error internally; do not expose exception details to the client + logger.error('Authorization check failed: %s', str(e), exc_info=True) return jsonify({ 'error': 'Authorization error', - 'message': f'Failed to check permissions: {str(e)}' + 'message': 'Failed to check permissions' }), 500 return decorated_function