Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

page-intex #13

Merged
merged 8 commits into from
Jan 16, 2024
Merged

page-intex #13

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
afa03f7
page index
heitorpolidoro Jan 16, 2024
b2ad53e
deepsource
heitorpolidoro Jan 16, 2024
aa4f75b
style: format code with Black and isort
deepsource-autofix[bot] Jan 16, 2024
6eded52
100%
heitorpolidoro Jan 16, 2024
87d2a70
style: format code with Black and isort
deepsource-autofix[bot] Jan 16, 2024
ac26510
100%
heitorpolidoro Jan 16, 2024
9b42eba
security
heitorpolidoro Jan 16, 2024
b2d730a
security 2
heitorpolidoro Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<div align="center">
<img src="img/bartholomew-logo.png" width="200" height="200">
<img src="static/bartholomew-logo.png" width="200" height="200">
</div>

# Bartholomew "The Butler" Smith
Expand Down
25 changes: 23 additions & 2 deletions src/app.py → app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
import os
import sys

import markdown
import sentry_sdk
from flask import Flask
from flask import Flask, abort, render_template
from githubapp import webhook_handler
from githubapp.events import CheckSuiteRequestedEvent

Expand Down Expand Up @@ -36,7 +37,7 @@

app = Flask(__name__)
sentry_init()
webhook_handler.handle_with_flask(app)
webhook_handler.handle_with_flask(app, use_default_index=False)


@webhook_handler.webhook_handler(CheckSuiteRequestedEvent)
Expand All @@ -47,3 +48,23 @@
"""
repository = event.repository
handle_create_pull_request(repository, event.check_suite.head_branch)


@app.route("/", methods=["GET"])
def index():
"""Return the index homepage"""
return file("README.md")


@app.route("/<path:filename>", methods=["GET"])
def file(filename):
"""Convert a md file into HTML and return it"""
if not filename.endswith(".md"):
abort(404)
with open(filename) as f:

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

md = f.read()
body = markdown.markdown(md)
title = "Bartholomew Smith"
if filename != "README.md":
title += f" - {filename.replace('-', ' ').replace('.md', '').title()}"
return render_template("index.html", title=title, body=body)
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ github-app-handler==0.15
sentry-sdk==1.39.2
flask==3.0.0
Polidoro-PyGithub==2.2.0
Markdown==3.5.2
0 img/bartholomew-logo.png → static/bartholomew-logo.png
View file
Open in desktop
File renamed without changes
Binary file added static/favicon.ico
View file
Open in desktop
Binary file not shown.
13 changes: 13 additions & 0 deletions templates/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!DOCTYPE html>
<link rel="shortcut icon" href="../static/favicon.ico" type="image/x-icon">
<link rel="icon" href="../static/favicon.ico" type="image/x-icon">

<html lang="en">
<head>
<meta charset="UTF-8">
<title>{{ title }}</title>
</head>
<body>
{{ body|safe }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could be potential XSS (Cross-site scripting) security issues with using 'safe' filter, it allows rendering of HTML tags from user-input directly. Consider escaping the HTML content or using another way to prevent potential security risks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-site scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

</body>
</html>
12 changes: 6 additions & 6 deletions tests/test_app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
from unittest.mock import patch

from src.app import handle, sentry_init
from app import handle, sentry_init


def test_sentry_init(monkeypatch):
monkeypatch.setenv("SENTRY_DSN", "https://example.com")
with patch("src.app.sentry_sdk") as mock_sentry:
with patch("app.sentry_sdk") as mock_sentry:
sentry_init()
mock_sentry.init.assert_called_once_with(
dsn="https://example.com",
Expand All @@ -15,14 +15,14 @@ def test_sentry_init(monkeypatch):


def test_sentry_dont_init(monkeypatch):
with patch("src.app.sentry_sdk") as mock_sentry:
with patch("app.sentry_sdk") as mock_sentry:
sentry_init()
mock_sentry.init.assert_not_called()


def test_handle_check_suite_requested(event):
with patch("src.app.handle_create_pull_request") as mock_handle_create_pull_request:
def test_handle_check_suite_requested(event, repository):
with patch("app.handle_create_pull_request") as mock_handle_create_pull_request:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like the function signature for 'test_handle_check_suite_requested' has changed. Make sure the behavior of the test is still correct.

handle(event)
mock_handle_create_pull_request.assert_called_once_with(
event.repository, event.check_suite.head_branch
repository, event.check_suite.head_branch
)
4 changes: 2 additions & 2 deletions vercel.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"version": 2,
"builds": [
{"src": "src/app.py",
{"src": "app.py",
"use": "@vercel/python"
}
],
"routes": [
{"src": "/.*",
"dest": "src/app.py"
"dest": "app.py"
}
]
}