From 5bb889154cbd06fa482bef608028b330e7ef4c05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?=
 <hello@ialejandro.rocks>
Date: Thu, 15 Aug 2024 22:11:47 +0200
Subject: [PATCH] fix: CWE-116 and CWE-79

closes #15
---
 Dockerfile   | 11 ++++-------
 app/app.py   | 10 ++++++++--
 package.json | 14 ++++++++++++++
 3 files changed, 26 insertions(+), 9 deletions(-)
 create mode 100644 package.json

diff --git a/Dockerfile b/Dockerfile
index 0c699e4..ad00108 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,15 @@
-FROM python:3.12.4-slim
+ARG PYTHON_VERSION=3.12.4-slim
+
+FROM python:${PYTHON_VERSION}
 
-# LABELS
 LABEL maintainer="Iván Alejandro Marugán <hello@ialejandro.rocks>" \
-      description="Bitbucket Bot for Google Chat"                  \
-      version="1.0.0"
+      description="Bitbucket Bot for Google Chat"
 
-# APPLICATION
 COPY app /app
 COPY requirements.txt /requirements.txt
 
-# INSTALL REQUIREMENTS
 RUN pip install -r /requirements.txt
 
 WORKDIR /app
 
-# RUN APP
 ENTRYPOINT ["gunicorn", "run:app"]
diff --git a/app/app.py b/app/app.py
index 9a3f4d6..1bdf0b6 100644
--- a/app/app.py
+++ b/app/app.py
@@ -1,6 +1,8 @@
+import html
 import json
 import os
 import requests
+
 from flask import Flask, request
 
 
@@ -188,12 +190,12 @@ def main():
     token = os.environ.get('TOKEN')
 
     if request.args['token']!= token:
-        exit(1)
+        return "Invalid token", 403
 
     event = request.get_json()
 
     if not event:
-        return "event empty"
+        return "event empty", 400
 
     message = Message(url, event)
     if (event['eventKey'] == 'pr:opened' or event['eventKey'] == 'pr:merged' or event['eventKey'] == 'pr:declined'):
@@ -208,6 +210,10 @@ def main():
         comment = message.pr_approved(event)
         r = message.send_message(comment)
 
+    # Mitigate XSS
+    if isinstance(r, str):
+        r = html.escape(r)
+
     return r
 
 
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..a346e4f
--- /dev/null
+++ b/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "bitbucket-bot",
+  "version": "1.0.0",
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "repositoryUrl": "https://github.com/devops-ia/bitbucket-bot.git",
+    "plugins": [
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/github"
+    ]
+  }
+}