address codeql scan results

frigate/http.py

@@ -261,7 +261,7 @@ def send_to_plus(id):
     except Exception as ex:
         logger.exception(ex)
         return make_response(
-            jsonify({"success": False, "message": str(ex)}),
+            jsonify({"success": False, "message": "Error uploading image"}),
             400,
         )
 
@@ -281,7 +281,7 @@ def send_to_plus(id):
         except Exception as ex:
             logger.exception(ex)
             return make_response(
-                jsonify({"success": False, "message": str(ex)}),
+                jsonify({"success": False, "message": "Error uploading annotation"}),
                 400,
             )
 
@@ -352,7 +352,7 @@ def false_positive(id):
     except Exception as ex:
         logger.exception(ex)
         return make_response(
-            jsonify({"success": False, "message": str(ex)}),
+            jsonify({"success": False, "message": "Error uploading false positive"}),
             400,
         )
 
@@ -455,8 +455,9 @@ def get_labels():
         else:
             events = Event.select(Event.label).distinct()
     except Exception as e:
+        logger.error(e)
         return make_response(
-            jsonify({"success": False, "message": f"Failed to get labels: {e}"}), 404
+            jsonify({"success": False, "message": "Failed to get labels"}), 404
         )
 
     labels = sorted([e.label for e in events])
@@ -469,9 +470,9 @@ def get_sub_labels():
 
     try:
         events = Event.select(Event.sub_label).distinct()
-    except Exception as e:
+    except Exception:
         return make_response(
-            jsonify({"success": False, "message": f"Failed to get sub_labels: {e}"}),
+            jsonify({"success": False, "message": "Failed to get sub_labels"}),
             404,
         )
 
@@ -649,7 +650,7 @@ def event_snapshot(id):
             )
         # read snapshot from disk
         with open(
-            os.path.join(CLIPS_DIR, f"{event.camera}-{id}.jpg"), "rb"
+            os.path.join(CLIPS_DIR, f"{event.camera}-{event.id}.jpg"), "rb"
         ) as image_file:
             jpg_bytes = image_file.read()
     except DoesNotExist:
@@ -741,7 +742,7 @@ def event_clip(id):
             jsonify({"success": False, "message": "Clip not available"}), 404
         )
 
-    file_name = f"{event.camera}-{id}.mp4"
+    file_name = f"{event.camera}-{event.id}.mp4"
     clip_path = os.path.join(CLIPS_DIR, file_name)
 
     if not os.path.isfile(clip_path):
@@ -994,8 +995,9 @@ def create_event(camera_name, label):
             frame,
         )
     except Exception as e:
+        logger.error(e)
         return make_response(
-            jsonify({"success": False, "message": f"An unknown error occurred: {e}"}),
+            jsonify({"success": False, "message": "An unknown error occurred"}),
             500,
         )
 
@@ -1188,11 +1190,12 @@ def config_set():
             with open(config_file, "w") as f:
                 f.write(old_raw_config)
                 f.close()
+            logger.error(f"\nConfig Error:\n\n{str(traceback.format_exc())}")
             return make_response(
                 jsonify(
                     {
                         "success": False,
-                        "message": f"\nConfig Error:\n\n{str(traceback.format_exc())}",
+                        "message": "Error parsing config. Check logs for error message.",
                     }
                 ),
                 400,
@@ -1366,7 +1369,10 @@ def latest_frame(camera_name):
 @bp.route("/<camera_name>/recordings/<frame_time>/snapshot.png")
 def get_snapshot_from_recording(camera_name: str, frame_time: str):
     if camera_name not in current_app.frigate_config.cameras:
-        return "Camera named {} not found".format(camera_name), 404
+        return make_response(
+            jsonify({"success": False, "message": "Camera not found"}),
+            404,
+        )
 
     frame_time = float(frame_time)
     recording_query = (
@@ -1592,7 +1598,7 @@ def recording_clip(camera_name, start_ts, end_ts):
         if clip.end_time > end_ts:
             playlist_lines.append(f"outpoint {int(end_ts - clip.start_time)}")
 
-    file_name = f"clip_{camera_name}_{start_ts}-{end_ts}.mp4"
+    file_name = secure_filename(f"clip_{camera_name}_{start_ts}-{end_ts}.mp4")
     path = os.path.join(CACHE_DIR, file_name)
 
     if not os.path.exists(path):
@@ -1760,7 +1766,7 @@ def vod_event(id):
             404,
         )
 
-    clip_path = os.path.join(CLIPS_DIR, f"{event.camera}-{id}.mp4")
+    clip_path = os.path.join(CLIPS_DIR, f"{event.camera}-{event.id}.mp4")
 
     if not os.path.isfile(clip_path):
         end_ts = (
@@ -1979,7 +1985,8 @@ def logs(service: str):
         file.close()
         return contents, 200
     except FileNotFoundError as e:
+        logger.error(e)
         return make_response(
-            jsonify({"success": False, "message": f"Could not find log file: {e}"}),
+            jsonify({"success": False, "message": "Could not find log file"}),
             500,
         )