fix: Add input validation and proper HTTP status codes to Flask API e…#180
fix: Add input validation and proper HTTP status codes to Flask API e…#180aparnatonni wants to merge 1 commit into
Conversation
…ndpoints - Add validation for empty/null command inputs across all 10 endpoints - Return proper HTTP status codes: 400 for bad input, 500 for server errors - Wrap all GDB command execution in try/except blocks - Return structured JSON error responses with status codes - Improves security and reliability (resolves issue c2siorg#144)
|
Hey, thanks for the PR! I've reviewed the changes, but we can't merge this as-is. It adds superficial validation but still leaves critical security vulnerabilities open. Path Traversal (main.py:97-112): name is still used directly after a .strip(). This needs proper sanitization and must be restricted to a fixed output directory. Command Injection (main.py:58-74 & 164-169): Both command and location are just checked for empty strings before execution/concatenation. This leaves injection vectors wide open. We need a strict allowlist or parser here. We need to tackle this using a centralized validation and allowlist approach rather than duplicating string checks. @Shubh942 — I recommend closing this PR for now until we establish a proper shared validation handler! |
3 participants
Add input validation and proper HTTP status codes to all API endpoints
Fixes issue #144