From 08d1ca14c214ac8a769d90627c13ff50bc34e451 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Fri, 24 Nov 2023 08:44:05 +0100 Subject: [PATCH 1/4] Update echo_flask_app.py Snyk Finding in example: https://app.snyk.io/org/xx-sit-odj-groot-exchange/project/911794d4-6ab3-42b2-89ea-ad7fd97d397c#issue-9c206229-8391-4e75-a07a-b2071d5d5deb --- contrib/examples/sensors/echo_flask_app.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/examples/sensors/echo_flask_app.py b/contrib/examples/sensors/echo_flask_app.py index 9cad9196af..0b0360e102 100644 --- a/contrib/examples/sensors/echo_flask_app.py +++ b/contrib/examples/sensors/echo_flask_app.py @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -from flask import request, Flask +from flask import request, jsonify, Flask from st2reactor.sensor.base import Sensor @@ -41,7 +41,7 @@ def echo(): self._sensor_service.dispatch( trigger="examples.echoflasksensor", payload=payload ) - return request.data + return jsonify(request.get_json(force=True), status=200, mimetype='application/json') self._log.info( "Listening for payload on http://{}:{}{}".format( From 3e88a62862eb1002a5e8a8d5e680fea637dfdf47 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Fri, 24 Nov 2023 08:53:11 +0100 Subject: [PATCH 2/4] Update CHANGELOG.rst --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c4fae12a59..bba1424410 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ in development Fixed ~~~~~ +* ‎Fix Snyk Security Finding Cross-site Scripting (XSS) in contrib/examples/sensors/echo_flask_app.py + * Additional fixes for st2 client auth when proxy auth mode enabled #6049 Contributed by @floatingstatic From 349c2f47aeef71adfe008a7262a83bf136d64826 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Fri, 24 Nov 2023 08:55:01 +0100 Subject: [PATCH 3/4] Update CHANGELOG.rst --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bba1424410..efc47527fa 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,6 +7,7 @@ in development Fixed ~~~~~ * ‎Fix Snyk Security Finding Cross-site Scripting (XSS) in contrib/examples/sensors/echo_flask_app.py + Contributed by (@philipphomberger Schwarz IT KG) * Additional fixes for st2 client auth when proxy auth mode enabled #6049 Contributed by @floatingstatic From dbed974b5c8173b673d38493e1b03579da51d270 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Fri, 24 Nov 2023 14:57:52 +0100 Subject: [PATCH 4/4] Update echo_flask_app.py --- contrib/examples/sensors/echo_flask_app.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/examples/sensors/echo_flask_app.py b/contrib/examples/sensors/echo_flask_app.py index 0b0360e102..742123574a 100644 --- a/contrib/examples/sensors/echo_flask_app.py +++ b/contrib/examples/sensors/echo_flask_app.py @@ -41,7 +41,9 @@ def echo(): self._sensor_service.dispatch( trigger="examples.echoflasksensor", payload=payload ) - return jsonify(request.get_json(force=True), status=200, mimetype='application/json') + return jsonify( + request.get_json(force=True), status=200, mimetype="application/json" + ) self._log.info( "Listening for payload on http://{}:{}{}".format(