Skip to content

🔴 1. Security: Missing Authentication on Gitea Endpoint #155

New issue
New issue
Closed
Closed
🔴 1. Security: Missing Authentication on Gitea Endpoint#155
Assignees
juancolchete
@juancolchete

Description

@juancolchete
juancolchete
opened on Jan 29, 2026

Location: app.py:945-948

@app.route('/api/gitea/get-issue/<int:issue_id>')
def get_issue_data(issue_id):
    req_data = requests.get("https://gitea.btcmap.org/api/v1/repos/teambtcmap/btcmap-data/issues/"+str(issue_id))
    return jsonify({'data':req_data.json()})

Problem: This endpoint is not protected by authentication. The @app.before_request check only applies to non-API routes or routes not in the exclusion list.

Fix: Add error handling, timeout, and status checks:

@app.route('/api/gitea/get-issue/<int:issue_id>')
def get_issue_data(issue_id):
    try:
        req_data = requests.get(
            f"https://gitea.btcmap.org/api/v1/repos/teambtcmap/btcmap-data/issues/{issue_id}",
            timeout=10
        )
        req_data.raise_for_status()
        return jsonify({'success': True, 'data': req_data.json()})
    except requests.exceptions.Timeout:
        return jsonify({'error': 'Request to Gitea timed out'}), 408
    except requests.exceptions.HTTPError as e:
        if e.response.status_code == 404:
            return jsonify({'error': f'Issue #{issue_id} not found'}), 404
        return jsonify({'error': f'Gitea API error: {str(e)}'}), 502
    except requests.exceptions.RequestException as e:
        app.logger.error(f"Error fetching Gitea issue {issue_id}: {str(e)}")
        return jsonify({'error': 'Failed to fetch issue data'}), 500

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions