Fix critical security vulnerabilities#36
Open
abhipankhar08 wants to merge 1 commit into
Open
Conversation
- Replace hardcoded SECRET_KEY values with env-var lookup; fall back to a runtime-generated random key with a warning so sessions still work - Move HF_TOKEN, WIGLE_API_NAME, WIGLE_API_TOKEN, AIS api_key, and SHODAN_API_KEY from hardcoded empty strings to os.environ.get() - Remove two /api/wigle/token endpoints that returned base64-encoded WiGLE credentials to any unauthenticated caller - Harden path-traversal check in get_geojson_data: replace the naive '..' string check with os.path.realpath() + prefix assertion - Add MIME-type allowlist and 10 MB size cap to reverse-image upload - Add URL scheme/netloc validation before fetching in aggressive scrape mode to prevent SSRF - Strip API key from NewsAPI log line (was printed in full via params dict) - Gate Flask debug mode behind FLASK_DEBUG env var (default off) - Restrict SocketIO to same-origin by default via cors_allowed_origins - Add .gitignore (excludes .env, uploads/, chroma db, __pycache__) - Add .env.example template documenting all required env vars Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SECRET_KEYin bothapp.pyandapp-exe.py— replaced withSECRET_KEYenv var (falls back to a runtime-generated random key with a warning)/api/wigle/tokenendpoints that returned base64-encoded WiGLE credentials to any unauthenticated callerHF_TOKEN,WIGLE_API_NAME,WIGLE_API_TOKEN,AIS_API_KEY,SHODAN_API_KEYwere all hardcoded empty strings that bypassed.envloadingget_geojson_data— replaced naive'..' in filenamecheck withos.path.realpath()+ prefix assertion (blocks URL-encoded variants like%2F..%2F)jpeg/png/gif/webp) and 10 MB size capurlparsescheme validation before fetching arbitrary URLs from search resultsprint(params)was printingNEWS_API_KEYin plaintext to server logsdebug=Truewas hardcoded; now gated behindFLASK_DEBUG=trueenv varCORS_ORIGINSenv var.gitignoreand.env.exampletemplate documenting all required env varsTest plan
SECRET_KEY=<val> python3 app.py/api/wigle/tokenreturns 404GET /api/geojson/../../etc/passwdreturns 400Content-Type: text/plainreturns 400FLASK_DEBUG=false(default) — no interactive debugger exposed🤖 Generated with Claude Code