-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Medieteknik | v1.6 #318
Medieteknik | v1.6 #318
Conversation
Merge pull request #316 from medieteknik-kth/dev
* Bug fix for uploading files, which makes uploading public profile pictures work and is easier to maintain.
* Preloading the landing page image * And rendering the chapter members is now done via SSR
* New display for events in the bulletin * Small adjustments to tags and tooltips * Fixed size for the calendar
* You now set the desired amount instead of incrementing. * Also a comment for changing the API in development.
* New Page to describe the graphical identity of the chapter. * Removed a few remaining `public/images` to switch over to cloud
* Added translations to the chapter page
# Backend * Separated the public document routes from the item * Added new search argument for the `GET` route for documents # Frontend * More responsive document page * Added search bar with a detailed search button * Improved separation and folder structure * Small adjustments * More documentation
Small UI tweaks to make it more responsive and cleaner.
* Couple of custom titles * Also some bugfixes
* Updated Next.js to the latest version * Renamed and adjusted the officials section * Adjustments to the profile section of the profile area. * Better naming for the `limit` function
* Some bug fixes when using the `to_dict()` methods
* It is now more stable, takes less space, and is more consistent. * Added some translations * Added more documentation
# Project * Added VSCode settings to each folder # Frontend * Removed firebase files
* It will now redirect on failure instead of showing "Not found" * Added more documentation
Main purpose for this column is to serve content from KTH, THS, "Datasektionen" on the website
* Fixed some dark mode problems with the navigation dropdown nav menu and the search function within documents page * Adjusted size of elements in the officials sections of the chapter page
* Added the `hidden` column
* Added `Playwright` and `Jest` to the project for E2E and functionality testing of non React components. E2E testing for now is only done locally * Added GitHub action to test on push and PR to master * Updated Next.js to v14.2.15 * Removed firebase config
* Adjusted some UI elements to be better for E2E testing
* Changed the fallback language to English * Added new `news` translation string
* Makes it so most text is confined to a paragraph tag, to reduce size in the database. * Also improved documentation and removed some imports.
* Adjusted event upload dialog to specify max length of the description and title
* Better responsiveness * Translations for both Swedish and English * More documentation * HTML Title
* Updated screenshots * Added form-factor to screenshots * Moved apple-icon.png
* Much easier to modify and cleaner JSX components
* You can search for a specific position or navigate between them in a grid display
* Changed from JSON to forms for uploading news articles * Also enabled deletion of news articles
It will check if your cookies are outdated, if they are it will present you with the menu once again * Added more documentation * Changed some UI elements + more translations * Removed `ServerProviders` as it is no longer needed.
Still not fully complete with the account page but it has better UX. * Added URL title * Modify profile picture before uploading * More documentation * More translations * Removed unfinished components, inputs.
Updated Next.js to v15.0.1
As ESLint v9 is now supported for Next.js * With this change I've reformatted and changed most files to fix linting issues.
I don't really know why. * Reduce gunicorn workers * Removed the init.sql for now.
Albums are back in a new form and are for media. New routes for the albums * Small bug fixes
You can upload media (images, videos) and create albums to store those media in.
Also changed the way we authenticate it for now.
Added more translations for committee management, and small bug fixes. Also added more documentation
It will now always route back to where you were at previously, rather than to the homepage. Also it is now primarily a modal on press rather than it's own page thanks to intercepting routes with Next.js.
* Made it easier to navigate when you recently changed display language. * Improved the sitemap.xml to be more accurate.
if (file.size > MAX_FILE_SIZE) { | ||
alert('File size is too large') | ||
const img = new window.Image() | ||
img.src = URL.createObjectURL(file) |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
Copilot Autofix AI 3 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
image.addEventListener('load', () => resolve(image)) | ||
image.addEventListener('error', (error) => reject(error)) | ||
image.setAttribute('crossOrigin', 'anonymous') // needed to avoid cross-origin issues on CodeSandbox | ||
image.src = url |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that the url
passed to the createImage
function is safe and does not contain any malicious content. One way to achieve this is by validating the URL before using it. Since the URL is created using URL.createObjectURL
, we can add a check to ensure it is a valid object URL.
- Add a function to validate the URL.
- Use this validation function before setting the
src
attribute of theImage
object.
-
Copy modified lines R1-R9 -
Copy modified lines R12-R15
@@ -1,3 +1,16 @@ | ||
const isValidObjectURL = (url: string) => { | ||
try { | ||
const objUrl = new URL(url); | ||
return objUrl.protocol === 'blob:'; | ||
} catch (e) { | ||
return false; | ||
} | ||
}; | ||
|
||
export const createImage = (url: string) => | ||
new Promise((resolve, reject) => { | ||
if (!isValidObjectURL(url)) { | ||
reject(new Error('Invalid URL')); | ||
return; | ||
} | ||
const image = new Image() |
try: | ||
token = oauth.kth.authorize_access_token() | ||
except Exception as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Stack trace information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that detailed exception information is not exposed to the user. Instead, we should log the detailed error message on the server and return a generic error message to the user. This can be achieved by modifying the exception handling block to log the exception and return a generic error message.
- Modify the exception handling block in the
oidc_auth
function to log the exception details and return a generic error message. - Add an import statement for the logging module if it is not already present.
-
Copy modified line R13 -
Copy modified lines R265-R266
@@ -12,2 +12,3 @@ | ||
from flask import Flask, jsonify, make_response, request, session, url_for | ||
import logging | ||
from flask_jwt_extended import ( | ||
@@ -263,3 +264,4 @@ | ||
except Exception as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
app.logger.error("OIDC authorization error: %s", str(e)) | ||
return jsonify({"error": "An internal error has occurred."}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
|
try: | ||
delete_item(Event, event_id) | ||
except NotImplementedError as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Stack trace information
Stack trace information
Stack trace information
Stack trace information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that detailed exception messages are not exposed to the end user. Instead, we should log the detailed error message on the server and return a generic error message to the user. This can be achieved by modifying the exception handling code to log the exception and return a generic error message.
- Modify the exception handling code in the
delete_event
function to log the exception details and return a generic error message. - Add necessary imports for logging if not already present.
- Ensure that the logging mechanism is properly configured to capture and store the exception details.
-
Copy modified lines R100-R101 -
Copy modified lines R103-R104
@@ -99,5 +99,7 @@ | ||
except NotImplementedError as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
app.logger.error(f"NotImplementedError: {str(e)}") | ||
return jsonify({"error": "An internal error has occurred!"}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
except SQLAlchemyError as e: | ||
return jsonify({"sql_error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
app.logger.error(f"SQLAlchemyError: {str(e)}") | ||
return jsonify({"error": "An internal error has occurred!"}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
|
except NotImplementedError as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
except SQLAlchemyError as e: | ||
return jsonify({"sql_error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Stack trace information
Stack trace information
Stack trace information
Stack trace information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we need to ensure that detailed error messages, especially those containing stack traces or SQL error details, are not exposed to the end user. Instead, we should log these details on the server and return a generic error message to the client.
- Modify the exception handling in the
delete_event
function to log the detailed error message and return a generic error message to the client. - Use Python's
logging
module to log the error details on the server side.
-
Copy modified lines R100-R101 -
Copy modified lines R103-R104
@@ -99,5 +99,7 @@ | ||
except NotImplementedError as e: | ||
return jsonify({"error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
app.logger.error(f"NotImplementedError: {str(e)}") | ||
return jsonify({"error": "An internal error has occurred!"}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
except SQLAlchemyError as e: | ||
return jsonify({"sql_error": str(e)}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
app.logger.error(f"SQLAlchemyError: {str(e)}") | ||
return jsonify({"error": "An internal error has occurred!"}), HTTPStatus.INTERNAL_SERVER_ERROR | ||
|
Major Version, v1.6
New
Albums
Link to the Album Page
CHAPTER
in the header navigationPositions
Link to the Position Page
Changes
Fixes