Conversation
✨ STRIDE Category Validation: - Add stride_validator.py with normalize_stride_category function - Implement STRIDE validation in API endpoints (manual + AI threats) - Add validation in CRUD operations for threat updates - Ensure data consistency across all threat creation/update paths 🐛 API Cleanup: - Remove duplicate imports in api.py - Fix indentation issues - Remove obsolete commented code - Organize imports by category (stdlib, third-party, local) 🗂️ File Management Improvements: - Implement UUID-based filenames for uploaded diagrams - Add file extension validation for security - Return both base64 and saved filename from save_image() - Prevent filename collisions and security issues 🐳 Docker Persistence: - Add diagrams_data volume for persistent diagram storage - Configure nginx to serve diagrams directly from volume - Fix diagram loss on container restart/rebuild - Remove obsolete docker-compose version attribute 🎨 Frontend Enhancements: - Implement compact STRIDE dropdown (shows first letter only) - Add ResidualRiskSelector pattern for better UX - Maintain consistent STRIDE categories between frontend/backend 🛡️ Security & Consistency: - All STRIDE categories normalized to standard format - Case-insensitive validation with fallback to 'Spoofing' - File type validation prevents malicious uploads - Centralized validation logic in stride_validator module
…to.py - Updated MASVS controls from 8 to 35 total controls - Changed MASVS format from MSTG-AUTH-1 to AUTH-1 - Updated STRIDE examples to use new MASVS format - Updated total controls count from 308 to 335 - Fixed test expectations for coverage calculations - Updated tag normalization and validation tests - Removed unused __init___auto.py file - 104 tests now passing (improved from 89)
- Fixed API endpoint parameter conflicts in crud.get_all_threats() - Updated schemas.py with proper InformationSystem models - Enhanced control tags system with better search functionality - Added comprehensive Reports and ReportsFilters components - Implemented RiskFilter component for threat filtering - Improved localization support for reports interface - Cleaned up test files and enhanced test coverage - Fixed STRIDE categorization and control tag suggestions - Updated service layer for better API integration - Resolved Docker build and CORS configuration issues
- Extract standard name from search result format 'A.9.4.1 (ISO27001)' - Use extracted standard_part instead of non-existent field in ALL_CONTROLS - Now detailed_results properly includes tag, title, description, category, and standard fields - Resolves empty detailed_results issue for control tags tooltips in frontend
- Update control_tags.py with improved search functionality - Enhance ASVS standard definitions and controls structure - Improve AI integration in tzu_ai.py for better threat analysis - Add supporting scripts for field extraction fixes - System status updates and maintenance improvements
- Fixed Chakra UI version compatibility issues by reverting to stable versions
- Added TextEncoder/TextDecoder polyfill for jsPDF compatibility in tests
- Fixed App.test.js to search for correct text ('TZU Login' instead of 'TZU Security')
- Added setupTests.js with proper polyfills for Node.js environment
- Created diagrams/.gitkeep to ensure directory exists
- Updated frontend dependencies and resolved npm package conflicts
- All frontend tests now passing (8 test suites, 79 tests)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+559
to
+562
| return { | ||
| "message": f"Error during processing: {str(e)}", | ||
| "success": False | ||
| } |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To address the issue and avoid information exposure via error messages, the generic error message "An error occurred during processing." should be returned to the API user, while the real exception message and its traceback should be logged internally. This preserves user privacy and prevents attackers from gaining insights into the system’s internals. The fix is to update the except block:
- Replace the dynamic error message with a static, user-safe message.
- Log the exception (and, if possible, its traceback) on the server side for later analysis by developers.
- To implement logging, import the standard
loggingmodule.
All required changes can be made directly within api/api.py, inside theexceptblock of theevaluate_system_diagramendpoint. We'll also add a relevant import if not present.
Suggested changeset
1
api/api.py
| @@ -11,11 +11,17 @@ | ||
| - Report Generation | ||
| """ | ||
|
|
||
| # Setup logging if not already configured elsewhere. | ||
| import logging | ||
| logging.basicConfig(level=logging.INFO) | ||
|
|
||
| import os | ||
| import json | ||
| from uuid import UUID | ||
| from datetime import datetime, timedelta | ||
| from typing import List, Optional, Dict, Any | ||
| import logging | ||
| import traceback | ||
|
|
||
| # Third-party imports | ||
| from fastapi import FastAPI, HTTPException, Depends, UploadFile, Body, status, Path, Query | ||
| @@ -556,8 +557,9 @@ | ||
| } | ||
|
|
||
| except Exception as e: | ||
| logging.error("Error during system diagram evaluation: %s\n%s", str(e), traceback.format_exc()) | ||
| return { | ||
| "message": f"Error during processing: {str(e)}", | ||
| "message": "An error occurred during processing.", | ||
| "success": False | ||
| } | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.