Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d07881b

Browse files
bdamelebdamele
committed
apply a little bit of secure coding practices to the API
1 parent 4d95573 commit d07881b

1 file changed

Lines changed: 9 additions & 5 deletions

File tree

lib/utils/api.py

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ def init_options():
122122
return options
123123

124124
@hook("after_request")
125-
def security_headers():
125+
def security_headers(json_header=True):
126126
"""
127127
Set some headers across all HTTP responses
128128
"""
@@ -133,26 +133,31 @@ def security_headers():
133133
response.headers["Pragma"] = "no-cache"
134134
response.headers["Cache-Control"] = "no-cache"
135135
response.headers["Expires"] = "0"
136-
response.content_type = "application/json; charset=UTF-8"
136+
if json_header:
137+
response.content_type = "application/json; charset=UTF-8"
137138

138139
##############################
139140
# HTTP Status Code functions #
140141
##############################
141142

142143
@error(401) # Access Denied
143144
def error401(error=None):
145+
security_headers(False)
144146
return "Access denied"
145147

146148
@error(404) # Not Found
147149
def error404(error=None):
150+
security_headers(False)
148151
return "Nothing here"
149152

150153
@error(405) # Method Not Allowed (e.g. when requesting a POST method via GET)
151154
def error405(error=None):
155+
security_headers(False)
152156
return "Method not allowed"
153157

154158
@error(500) # Internal Server Error
155159
def error500(error=None):
160+
security_headers(False)
156161
return "Internal server error"
157162

158163
#############################
@@ -390,15 +395,14 @@ def scan_log_limited(taskid, start, end):
390395
if taskid not in tasks:
391396
abort(500, "Invalid task ID")
392397

393-
# Temporary "protection" against SQL injection FTW ;)
394-
if not start.isdigit() or not end.isdigit() or end <= start:
398+
if not start.isdigit() or not end.isdigit() or end < start:
395399
abort(500, "Invalid start or end value, must be digits")
396400

397401
start = max(1, int(start))
398402
end = max(1, int(end))
399403

400404
# Read a subset of log messages from the temporary I/O database
401-
procs[taskid].ipc_database_cursor.execute("SELECT id, time, level, message FROM logs WHERE id >= %d AND id <= %d" % (start, end))
405+
procs[taskid].ipc_database_cursor.execute("SELECT id, time, level, message FROM logs WHERE id >= ? AND id <= ?", (start, end))
402406
db_log_messages = procs[taskid].ipc_database_cursor.fetchall()
403407

404408
for (id_, time_, level, message) in db_log_messages:

0 commit comments

Comments
 (0)