fix: CWE-116 and CWE-79

ialejandro · ialejandro · commit ebc8d5003825 · 2024-08-15T23:02:56.000+02:00
closes #15
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,15 @@
-FROM python:3.12.4-slim
+ARG PYTHON_VERSION=3.12.4-slim
+
+FROM python:${PYTHON_VERSION}
 
-# LABELS
 LABEL maintainer="Iván Alejandro Marugán <hello@ialejandro.rocks>" \
-      description="Bitbucket Bot for Google Chat"                  \
-      version="1.0.0"
+      description="Bitbucket Bot for Google Chat"
 
-# APPLICATION
 COPY app /app
 COPY requirements.txt /requirements.txt
 
-# INSTALL REQUIREMENTS
 RUN pip install -r /requirements.txt
 
 WORKDIR /app
 
-# RUN APP
 ENTRYPOINT ["gunicorn", "run:app"]
diff --git a/app/app.py b/app/app.py
@@ -1,6 +1,8 @@
+import html
 import json
 import os
 import requests
+
 from flask import Flask, request
 
 
@@ -188,12 +190,12 @@ def main():
     token = os.environ.get('TOKEN')
 
     if request.args['token']!= token:
-        exit(1)
+        return "Invalid token", 403
 
     event = request.get_json()
 
     if not event:
-        return "event empty"
+        return "event empty", 400
 
     message = Message(url, event)
     if (event['eventKey'] == 'pr:opened' or event['eventKey'] == 'pr:merged' or event['eventKey'] == 'pr:declined'):
@@ -208,6 +210,10 @@ def main():
         comment = message.pr_approved(event)
         r = message.send_message(comment)
 
+    # Mitigate XSS
+    if isinstance(r, str):
+        r = html.escape(r)
+
     return r
 
 
diff --git a/package.json b/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "bitbucket-bot",
+  "version": "v1.0.0",
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "repositoryUrl": "https://github.com/devops-ia/bitbucket-bot.git",
+    "plugins": [
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/github"
+    ]
+  }
+}
