fix: CWE-116 and CWE-79

closes #15

Author: ialejandro

.github/workflows/release.yaml

@@ -42,6 +42,6 @@ jobs:
         with:
           dry_run: false
           branch: main
-          tag_format: ${version}
+          tag_format: v${version}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -1,18 +1,15 @@
-FROM python:3.12.4-slim
+ARG PYTHON_VERSION=3.12.4-slim
+
+FROM python:${PYTHON_VERSION}
 
-# LABELS
 LABEL maintainer="Iván Alejandro Marugán <hello@ialejandro.rocks>" \
-      description="Bitbucket Bot for Google Chat"                  \
-      version="1.0.0"
+      description="Bitbucket Bot for Google Chat"
 
-# APPLICATION
 COPY app /app
 COPY requirements.txt /requirements.txt
 
-# INSTALL REQUIREMENTS
 RUN pip install -r /requirements.txt
 
 WORKDIR /app
 
-# RUN APP
 ENTRYPOINT ["gunicorn", "run:app"]

app/app.py

@@ -1,6 +1,8 @@
+import html
 import json
 import os
 import requests
+
 from flask import Flask, request
 
 
@@ -188,12 +190,12 @@ def main():
     token = os.environ.get('TOKEN')
 
     if request.args['token']!= token:
-        exit(1)
+        return "Invalid token", 403
 
     event = request.get_json()
 
     if not event:
-        return "event empty"
+        return "event empty", 400
 
     message = Message(url, event)
     if (event['eventKey'] == 'pr:opened' or event['eventKey'] == 'pr:merged' or event['eventKey'] == 'pr:declined'):
@@ -208,7 +210,8 @@ def main():
         comment = message.pr_approved(event)
         r = message.send_message(comment)
 
-    return r
+    # Mitigate XSS
+    return html.escape(r)
 
 
 if __name__ == "__main__":

package.json

@@ -0,0 +1,14 @@
+{
+  "name": "bitbucket-bot",
+  "version": "v1.0.0",
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "repositoryUrl": "https://github.com/devops-ia/bitbucket-bot.git",
+    "plugins": [
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/github"
+    ]
+  }
+}