Bug bash fix for petlist adoption python app signals #437
Conversation
…-observability-demo into feat/cdkpipeline
… for petlistadoptions-py
…n Signals Python auto-inst doesn't work for FastAPI)
sguruvar
changed the title
| # Check if this is a local test setup | ||
| if self.rds_secret_arn == "local-secret": # pragma: allowlist secret | ||
| # Read from local file for testing | ||
| with open("/app/local-secret.json") as f: # pragma: allowlist secret |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The absolute path starts at the root and moves down through each file. While traversing the path, if the folder name or location is different than the file path mentioned in the code, it causes a break. Since most of the computers have different directory structures, using absolute path in your code is likely to cause issues in your computational environment. We recommend using relative paths, because it only relies on relevant part of the directory structure being the same making it reliable to work with in computational environment
| self._fetch_from_parameter_store() | ||
| def __init__(self): | ||
| self.pet_search_url = os.getenv("APP_PET_SEARCH_URL") | ||
| self.rds_secret_arn = os.getenv("APP_RDS_SECRET_ARN") |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This code relies on a client-controlled input (e.g., cookies, URL parameters, or headers) to determine user roles, which is vulnerable to manipulation. An attacker could potentially elevate their privileges by tampering with these inputs. To fix this, enforce role-based checks using server-side session data or an external authentication service. Avoid relying on any user-controlled data for role validation. Learn more about authorization vulnerabilities from OWASP[https://owasp.org/Top10/A01_2021-Broken_Access_Control/].
3 participants
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.