starred/GeoIntel
1
0
Fork 0
mirror of https://github.com/atiilla/GeoIntel.git synced 2026-04-26 16:15:57 +03:00
Code Issues 2 Projects Releases Packages Wiki Activity

[PR #19] [MERGED] Potential fix for code scanning alert no. 46: Information exposure through an exception #16

New issue
Closed
opened 2026-03-15 11:26:51 +03:00 by kerem · 0 comments
kerem commented 2026-03-15 11:26:51 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/atiilla/GeoIntel/pull/19
Author: @atiilla
Created: 3/9/2026
Status: Merged
Merged: 3/9/2026
Merged by: @atiilla

Base: mainHead: alert-autofix-46

📝 Commits (1)

  • 36de946 Potential fix for code scanning alert no. 46: Information exposure through an exception

📊 Changes

1 file changed (+2 additions, -1 deletions)

View changed files

📝 geointel/web_server.py (+2 -1)

📄 Description

Potential fix for https://github.com/atiilla/GeoIntel/security/code-scanning/46

In general, to fix information exposure via exceptions, log detailed exception messages and stack traces only on the server, and return generic, non-sensitive error messages to the client. Avoid including str(e) or other raw exception data in HTTP responses.

In this file, the problematic behavior is in the except GeoIntelError as e: block of the /api/analyze route (lines 176–180). The fix is to stop returning str(e) directly and instead (a) log e on the server and (b) send a generic, user-safe error message in the JSON response. The unexpected-exception handler directly below (lines 182–187) already follows this pattern and can serve as a template.

Concretely, in geointel/web_server.py, within the analyze_image function, adjust lines 176–180 so that:

  • We continue to log the error with logger.error(f"GeoIntel error: {e}") (or similar).
  • The JSON response uses a generic error string such as 'GeoIntel processing error' or similar, and does not interpolate e at all.
  • Optionally, we can still reflect some non-sensitive information (for example, a generic explanatory details string), but not the exception message itself.

No new imports or helper methods are strictly required; we can implement the fix with the existing logger and Flask jsonify.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/atiilla/GeoIntel/pull/19 **Author:** [@atiilla](https://github.com/atiilla) **Created:** 3/9/2026 **Status:** ✅ Merged **Merged:** 3/9/2026 **Merged by:** [@atiilla](https://github.com/atiilla) **Base:** `main` ← **Head:** `alert-autofix-46` --- ### 📝 Commits (1) - [`36de946`](https://github.com/atiilla/GeoIntel/commit/36de9467ee3d42857b71b3610ae67adeed8ebd75) Potential fix for code scanning alert no. 46: Information exposure through an exception ### 📊 Changes **1 file changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `geointel/web_server.py` (+2 -1) </details> ### 📄 Description Potential fix for [https://github.com/atiilla/GeoIntel/security/code-scanning/46](https://github.com/atiilla/GeoIntel/security/code-scanning/46) In general, to fix information exposure via exceptions, log detailed exception messages and stack traces only on the server, and return generic, non-sensitive error messages to the client. Avoid including `str(e)` or other raw exception data in HTTP responses. In this file, the problematic behavior is in the `except GeoIntelError as e:` block of the `/api/analyze` route (lines 176–180). The fix is to stop returning `str(e)` directly and instead (a) log `e` on the server and (b) send a generic, user-safe error message in the JSON response. The unexpected-exception handler directly below (lines 182–187) already follows this pattern and can serve as a template. Concretely, in `geointel/web_server.py`, within the `analyze_image` function, adjust lines 176–180 so that: - We continue to log the error with `logger.error(f"GeoIntel error: {e}")` (or similar). - The JSON response uses a generic error string such as `'GeoIntel processing error'` or similar, and does not interpolate `e` at all. - Optionally, we can still reflect some non-sensitive information (for example, a generic explanatory `details` string), but not the exception message itself. No new imports or helper methods are strictly required; we can implement the fix with the existing `logger` and Flask `jsonify`. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-15 11:26:51 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
nextjs
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/GeoIntel#16
No description provided.