Skip to content

Hash emails#30

Merged
Vianpyro merged 15 commits intomainfrom
security/hash_email
Mar 28, 2025
Merged

Hash emails#30
Vianpyro merged 15 commits intomainfrom
security/hash_email

Conversation

@Vianpyro
Copy link
Member

@Vianpyro Vianpyro commented Mar 27, 2025

Brief Description of Changes

In case the Database gets breached let's try not to pwn our users

Vianpyro added 12 commits March 21, 2025 17:31
Add development container configuration with Dockerfile and VSCode se…
6ef7d41 
…ttings
Update Super Linter configuration to use latest version and exclude s…
1cc45c6 
…pecific files from validation
Update Super Linter workflow to trigger on pushes to the main branch
0067966
Add email encryption and hashing functions; update authentication routes
042f2bd
Restore login endpoint (oopsie)
1d19b9b
Add email masking functionality and update person routes to handle en…
5ca2680 
…crypted emails
Implement email masking in person routes by decrypting and masking em…
af42bc8 
…ail addresses
Fix typo in utility.py: correct function name from 'decrpyt_email' to…
b491b8c 
… 'decrypt_email'
Refactor AES_KEY initialization to use bytes.fromhex for better security
b2d7c43
Enhance error handling in app and improve email masking logic in pers…
3e92ea9 
…on routes
Improve error message extraction to handle SQL errors more gracefully
970c3ed
Add command-line argument for debug mode in Flask app
c430844
@Vianpyro Vianpyro self-assigned this Mar 27, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 27, 2025
View reviewed changes
app.py
message=str(e),
type=type(e).__name__,
url=request.url,
traceback=traceback.format_exc().splitlines(),

Check warning

Code scanning / CodeQL

Information exposure through an exception Medium

Stack trace information
Loading
flows to this location and may be exposed to an external user.

Copilot Autofix

AI 11 months ago

To fix the problem, we should avoid exposing the stack trace to the end user, even in debug mode. Instead, we can log the stack trace on the server side for debugging purposes and return a generic error message to the user. This way, developers can still access the stack trace for debugging, but it will not be exposed to potential attackers.

  • Modify the handle_exception function to log the stack trace using a logging library and return a generic error message to the user.
  • Add the necessary import for the logging library.
  • Ensure that the stack trace is logged only when the application is in debug mode.
Suggested changeset 1
app.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app.py b/app.py
--- a/app.py
+++ b/app.py
@@ -2,2 +2,3 @@
 import traceback
+import logging
 
@@ -61,16 +62,7 @@
 def handle_exception(e):
-    # If the app is in debug mode, return the full traceback
+    # Log the full traceback if the app is in debug mode
     if app.debug:
-        return (
-            jsonify(
-                error="Internal Server Error",
-                message=str(e),
-                type=type(e).__name__,
-                url=request.url,
-                traceback=traceback.format_exc().splitlines(),
-            ),
-            500,
-        )
+        app.logger.error("Exception occurred", exc_info=True)
 
-    # Otherwise, return a more user-friendly error message
+    # Return a more user-friendly error message
     error_message = extract_error_message(str(e))
EOF
@@ -2,2 +2,3 @@
import traceback
import logging

@@ -61,16 +62,7 @@
def handle_exception(e):
# If the app is in debug mode, return the full traceback
# Log the full traceback if the app is in debug mode
if app.debug:
return (
jsonify(
error="Internal Server Error",
message=str(e),
type=type(e).__name__,
url=request.url,
traceback=traceback.format_exc().splitlines(),
),
500,
)
app.logger.error("Exception occurred", exc_info=True)

# Otherwise, return a more user-friendly error message
# Return a more user-friendly error message
error_message = extract_error_message(str(e))
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link
Member Author

@Vianpyro Vianpyro Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Add logging in a future update

@Vianpyro Vianpyro merged commit d910cbd into main Mar 28, 2025
20 checks passed
@Vianpyro Vianpyro deleted the security/hash_email branch March 28, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Vianpyro Vianpyro

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Vianpyro