Conversation
- Removed unused constants and routes from RouteConstants.js. - Cleaned up Chatbot.js by removing commented code and unnecessary imports, and adjusted styles for better responsiveness. - Simplified Home.js by removing unused components and state variables, and adjusted layout for improved user experience. - Deleted NavbarChatbot.js and its associated styles as they were no longer needed. - Removed Chatbot.css and NavbarChatbot.css stylesheets to streamline styling. - Updated RequestConfig.js to improve error handling and code readability. - Cleaned up index.css by removing unused animations and ensuring proper box-sizing. - Deleted logo.svg as it was no longer in use. - Removed GetWindowDimensions.js as it was redundant. - Updated Pricing.js to improve state management and code clarity. - Cleaned up DomainParsing.js by removing unused functions related to dashboard URLs. - Deleted RobotHeader.js as it was no longer necessary. - Updated tailwind.config.js to remove unused color definitions and streamline theme configuration. - Removed vitest.config.js as testing setup was no longer required.
…nality and UI enhancements
…ser feedback; update UI for better key management experience
…deduction logic and enhance user feedback in the dashboard
…I Key Dashboard for improved navigation and UI consistency
…move unused code and enhance UI elements for better user experience
… user slice functionality
…les.js; refactor CheckLogin.js for cleaner imports
…c credits in userSlice on viewUser and refreshCredits actions
…n styling in LoginModal for better UX
…tion to handle credit deductions
…nt credit deduction from HomeChatbot; delete unused LandingPageChatbot.css
…ance sidebar functionality, and improve layout responsiveness
- Added a new FileUpload component for handling file uploads with drag-and-drop support. - Integrated FileUpload into the Chatbot component to allow users to upload files for analysis. - Enhanced MainNav and Sidebar components for better layout and responsiveness. - Updated ChatHistory to display messages for uploaded files. - Improved user experience by adding file validation and error handling in the FileUpload component. - Refactored UserSlice to ensure proper encoding of user credentials during login.
… improve user experience in payment and subscription features. Added upgrade modal in Chatbot component and integrated credit checks. Cleaned up Pricing component and removed deprecated code.
…uest mode support - Introduced structured error types for better error management. - Added intelligent retry logic with exponential backoff and status-based retries. - Enhanced logging capabilities for request tracking and debugging. - Implemented guest mode support allowing unauthenticated requests with dedicated methods. - Created convenience methods for guest and authenticated requests. - Updated RequestConfig.js to support new features and improved error handling. - Added tests for revamped fetcher functionality and guest mode integration.
… related test file
…le upload styles and improve sidebar responsiveness
…uto-clear messages after 5 seconds
…roved navigation experience
…nctionality - Implemented Organizations component to display a list of organizations with search and filter capabilities. - Created PersonChat component for individual AI assistant interactions based on public knowledge of notable figures. - Developed PersonsDirectory component to showcase a directory of individuals with search and filter options. - Updated MainNav to include navigation links for Organizations and Persons. - Enhanced RouteConstants with new paths for organizations and persons. - Refactored Sidebar and Chatbot components for improved styling and functionality. - Introduced new color scheme in Tailwind configuration for better UI consistency.
…icated users and adjust layout spacing
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To address this issue, we should prevent the clear-text logging of user emails in the handler. Specifically, in backend/api_endpoints/generate_api_key/handler.py, line 7 should be removed or modified so that the user's email is not present in log output.
The best way is to either:
- Remove the log message entirely (preferred in most cases).
- Or, replace it with a generic log message that does NOT include the user_email, e.g., "GenerateAPIKeyHandler called".
You only need to change the code in the handler where the sensitive data leaks to the logs. No imports or additional functions are needed.
| @@ -4,7 +4,7 @@ | ||
| from database.db_auth import user_has_credits | ||
|
|
||
| def GenerateAPIKeyHandler(request, user_email): | ||
| print(f"GenerateAPIKeyHandler called with user_email: {user_email}") | ||
| print("GenerateAPIKeyHandler called") | ||
|
|
||
| # Check if user has credits before generating API key | ||
| if not user_has_credits(user_email, min_credits=1): |
| print(f"GenerateAPIKeyHandler called with user_email: {user_email}") | ||
|
|
||
| # Check if user has credits before generating API key | ||
| if not user_has_credits(user_email, min_credits=1): |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, remove the direct inclusion of user_email from any log messages in backend/api_endpoints/generate_api_key/handler.py, specifically from line 11. Instead, use a generic message that does not contain sensitive information. The log message can simply state that a user has insufficient credits to generate an API key, omitting the email address.
No functionality of the API or flow will change, only the logging message is sanitized.
No additional methods or imports are required, as we are only changing the print statements.
Only backend/api_endpoints/generate_api_key/handler.py needs to be edited: remove the user_email variable from the print statements on lines 7 and 11.
| @@ -4,11 +4,11 @@ | ||
| from database.db_auth import user_has_credits | ||
|
|
||
| def GenerateAPIKeyHandler(request, user_email): | ||
| print(f"GenerateAPIKeyHandler called with user_email: {user_email}") | ||
| print("GenerateAPIKeyHandler called") | ||
|
|
||
| # Check if user has credits before generating API key | ||
| if not user_has_credits(user_email, min_credits=1): | ||
| print(f"User {user_email} has insufficient credits to generate API key") | ||
| print("User has insufficient credits to generate API key") | ||
| return jsonify({"error": "Insufficient credits. You need at least 1 credit to generate an API key."}), 403 | ||
|
|
||
| data = request.get_json() if request.is_json else {} |
| key_name = data.get('name', 'Untitled Key') | ||
| print(f"Key name: {key_name}") | ||
| try: | ||
| result = generate_api_key(user_email, key_name) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, we should avoid logging sensitive data such as API keys. In particular, we must ensure that the API key, present in the result dictionary, is never logged (even accidentally, via stringification of the entire dictionary). To maintain useful observability for debugging or audit purposes, we can still log non-sensitive details such as the fact that an API key has been generated, along with user- and metadata (such as key name and id), but we must NOT include the key itself in any log output.
Detailed fix:
- On line 19 of
backend/api_endpoints/generate_api_key/handler.py, change the print statement to log only non-sensitive information (e.g., the new key's ID, name, and the user it was generated for). - Do not log the entire
resultdictionary, since it contains the API key under thekeyfield.
No new imports or functions are needed for this change.
| @@ -16,7 +16,7 @@ | ||
| print(f"Key name: {key_name}") | ||
| try: | ||
| result = generate_api_key(user_email, key_name) | ||
| print(f"Generated API key result: {result}") | ||
| print(f"Generated API key for user {user_email} with id: {result.get('id')}, name: {result.get('name')}") | ||
| return jsonify(result) | ||
| except Exception as e: | ||
| print(f"Error generating API key: {e}") |
| print(f"Generated API key result: {result}") | ||
| return jsonify(result) | ||
| except Exception as e: | ||
| print(f"Error generating API key: {e}") |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the information exposure issue, we need to ensure that internal exception details are not revealed to the API client. Instead of including the exception's string representation in the JSON response, we should return a generic error message. The original exception (or its stack trace) should be logged server-side for debugging purposes, but not exposed to the user. To maintain debuggability, we can use the standard Python logging module to record error details.
The change will be made specifically to the except block of GenerateAPIKeyHandler in backend/api_endpoints/generate_api_key/handler.py:
- Add an import for
loggingat the top if it is not already present. - In the
exceptblock, replace the currentprintand response with:- Log the exception using
logging.exception, which includes the stack trace. - Return a sanitized and generic message such as
"An internal server error occurred.".
- Log the exception using
No other changes or dependencies are needed.
| @@ -1,5 +1,6 @@ | ||
|
|
||
| from flask import jsonify | ||
| import logging | ||
| from database.db import generate_api_key | ||
| from database.db_auth import user_has_credits | ||
|
|
||
| @@ -19,5 +20,5 @@ | ||
| print(f"Generated API key result: {result}") | ||
| return jsonify(result) | ||
| except Exception as e: | ||
| print(f"Error generating API key: {e}") | ||
| return jsonify({"error": str(e)}), 500 | ||
| logging.exception(f"Error generating API key for user {user_email}:") | ||
| return jsonify({"error": "An internal server error occurred."}), 500 |
|
|
||
|
|
||
| def CreateCheckoutSessionHandler(request, userEmail): | ||
| print(f"CreateCheckoutSessionHandler called with userEmail: {userEmail}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To address the issue of clear-text logging of sensitive user information, you should remove (or suitably redact) all debug or info statements that log the user's email address directly. In this specific case, the statement at line 14 of backend/api_endpoints/payments/handler.py logs the full email address for every session created. This should be eliminated or replaced with a non-sensitive, non-identifying message.
General Steps:
- Remove or redact any log/print statements that output the full contents of
userEmail. - If logging is needed for tracing or debugging, consider including less sensitive context, such as the presence of a user or the fact that the handler was called, without including the user's email. If unique identification in logs is necessary, consider hashing/redacting the email.
- Apply similar fixes to other locations that log full user email addresses, focusing on lines with
print(f"...{userEmail}...")or similar outputs.
Specific Change:
- In
backend/api_endpoints/payments/handler.py, remove or revise line 14 so that it does not output the email, but still allows for tracing calls to the handler in a generic manner.
No additional imports or helper methods are required to simply remove a print statement.
| @@ -11,7 +11,7 @@ | ||
|
|
||
|
|
||
| def CreateCheckoutSessionHandler(request, userEmail): | ||
| print(f"CreateCheckoutSessionHandler called with userEmail: {userEmail}") | ||
| print("CreateCheckoutSessionHandler called.") | ||
| user_id = user_id_for_email(userEmail) | ||
| print(f"User ID retrieved: {user_id}") | ||
|
|
| print("DEBUG: Not guest mode, extracting user email") | ||
| try: | ||
| user_email = extractUserEmailFromRequest(request) | ||
| print(f"DEBUG: Extracted user_email = {user_email}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, we should remove or redact any logging of sensitive information such as the user_email variable. In backend/app.py, line 855 currently prints the full email value. The best fix is to replace this with a more generic message that does not expose the email address, such as simply confirming that extraction succeeded ("DEBUG: user_email successfully extracted"). If retaining some form of log is critical for debugging, we can log only that the value exists, or (if it helps) log a truncated/redacted version (such as only the domain), but best is to avoid even that unless required.
Changes required:
- In
backend/app.py, remove or redact the log on line 855 so that the email value is not directly logged. You can log that the extraction succeeded, but do not include the value itself.
No further edits, imports, or dependency changes are necessary.
| @@ -852,7 +852,7 @@ | ||
| print("DEBUG: Not guest mode, extracting user email") | ||
| try: | ||
| user_email = extractUserEmailFromRequest(request) | ||
| print(f"DEBUG: Extracted user_email = {user_email}") | ||
| print("DEBUG: user_email successfully extracted") | ||
| except InvalidTokenError: | ||
| print("DEBUG: Invalid token error") | ||
| return jsonify({"error": "Invalid JWT"}), 401 |
| new_credits = result["credits"] if result else 0 | ||
|
|
||
| conn.commit() | ||
| print(f"Deducted {credits_to_deduct} credits from user {user_email}. New balance: {new_credits}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix this problem is to avoid logging sensitive data altogether. In this instance, user emails are sensitive and should not be printed to logs. If logging is needed for operational reasons, the log can be modified to avoid including user-identifying information (like email addresses). For the given function, simply omitting the email from the log message provides sufficient logging for auditing the credit deduction event, without exposing PII. Optionally, if high-granularity logs are truly required (e.g., for troubleshooting specific support incidents), logs should be controlled by a debug flag/environment check and the output should be sanitized or hashed.
Required changes:
- In
backend/database/db.py, in thededuct_credits_from_userfunction, replace the current print statement on line 656 with one that omits or redacts theuser_email. - No new imports or methods are required.
| @@ -653,7 +653,7 @@ | ||
| new_credits = result["credits"] if result else 0 | ||
|
|
||
| conn.commit() | ||
| print(f"Deducted {credits_to_deduct} credits from user {user_email}. New balance: {new_credits}") | ||
| print(f"Deducted {credits_to_deduct} credits from user. New balance: {new_credits}") | ||
| return True | ||
| finally: | ||
| conn.close() |
| conn.close() | ||
|
|
||
| def generate_api_key(email, key_name=None): | ||
| print(f"generate_api_key called with email: {email}, key_name: {key_name}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we need to remove or redact the logging of sensitive information such as user's email addresses in print statements. Specifically:
- In
backend/database/db.py, inside thegenerate_api_keyfunction:- Remove the line printing
emailandkey_name. - Review any similar log statements involving user emails or sensitive values and redact or remove where possible.
- If logs must stay for operational reasons, mask part of the email (e.g., 'j***@gmail.com' instead of full).
- For consistency and thoroughness, review nearby code—log lines such as the one in
deduct_credits_from_usershould also be considered, but our alert applies specifically togenerate_api_key.
- Remove the line printing
No additional imports or method changes are necessary unless redaction (email masking) is required, in which case a small helper can be introduced. However, the best fix is simply to avoid logging the sensitive information at all.
| @@ -659,7 +659,7 @@ | ||
| conn.close() | ||
|
|
||
| def generate_api_key(email, key_name=None): | ||
| print(f"generate_api_key called with email: {email}, key_name: {key_name}") | ||
| print(f"generate_api_key called with key_name: {key_name}") | ||
| conn, cursor = get_db_connection() | ||
| api_key = secrets.token_hex(16) | ||
|
|
| conn, cursor = get_db_connection() | ||
| api_key = secrets.token_hex(16) | ||
|
|
||
| print(f"Executing query: SELECT id from users WHERE email = '{email}'") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, prevent logging the user's email address in cleartext at line 666 of backend/database/db.py. Instead, either log a generic query message without any user PII or, if necessary for debugging, redact or mask the email (e.g., by logging only part of it or using a hash, although even this should be considered carefully). For this case, since the query content is not uniquely useful for debug purposes (and the actual parameters are shown elsewhere if needed), the simplest and best fix is to remove or revise the log message so the email is not displayed.
Locate the line in generate_api_key function:
666: print(f"Executing query: SELECT id from users WHERE email = '{email}'")Change it to either remove the log altogether, or replace it with a non-sensitive generic message such as:
666: print("Executing query to fetch user id for API key generation.")No new imports or definitions are needed.
| @@ -663,7 +663,7 @@ | ||
| conn, cursor = get_db_connection() | ||
| api_key = secrets.token_hex(16) | ||
|
|
||
| print(f"Executing query: SELECT id from users WHERE email = '{email}'") | ||
| print("Executing query to fetch user id for API key generation.") | ||
| cursor.execute('SELECT id from users WHERE email = %s', [email]) | ||
| userId = cursor.fetchone() | ||
| print(f"Query result: {userId}") |
| "last_used": None, | ||
| "name": key_name | ||
| } | ||
| print(f"Returning result: {result}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The fix is to remove the sensitive information from all log statements. Specifically, on line 697, do not log the complete result dictionary since it contains the clear-text API key in the key field, which is sensitive. If logging is needed for debugging or tracking, log only non-sensitive fields (such as id, created, or name), but never include or log the API key. The change is restricted to the shown region in backend/database/db.py, line 697.
No extra imports or method definitions are required. Replace or remove the offending log statement; if you want to retain traceability for debugging purposes, print only the non-sensitive fields.
| @@ -694,7 +694,8 @@ | ||
| "last_used": None, | ||
| "name": key_name | ||
| } | ||
| print(f"Returning result: {result}") | ||
| # Avoid logging sensitive API key information | ||
| print(f"API key created with id: {keyId}, name: {key_name}, created: {time}") | ||
| return result | ||
|
|
||
| def delete_api_key(api_key_id): |
2 participants
No description provided.