Skip to content

Fix critical security vulnerabilities: secrets, CORS, XSS, input validation#5

Merged
IanDTM merged 3 commits into
ruff-testfrom
copilot/sub-pr-4
Dec 31, 2025
Merged

Fix critical security vulnerabilities: secrets, CORS, XSS, input validation#5
IanDTM merged 3 commits into
ruff-testfrom
copilot/sub-pr-4

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 31, 2025
edited
Loading

Security analysis revealed multiple critical vulnerabilities enabling session hijacking, XSS attacks, and score manipulation.

Changes

Secrets Management

  • Removed hardcoded SECRET_KEY, now sourced from SECRET_KEY env var with cryptographic fallback
  • CORS origins configurable via ALLOWED_ORIGINS env var (comma-separated)

Input Sanitization & Validation

  • _sanitize_name(): Strips HTML/script tags from player names using regex [^a-zA-Z0-9\s\-_]
  • _validate_score(): Enforces type, range, and plausibility checks (max = duration × 2)
  • All WebSocket handlers now validate data parameter type before processing

Production Safety

  • allow_unsafe_werkzeug flag now conditional on FLASK_DEBUG env var (accepts true or 1)
  • Added security warnings for debug mode

Documentation

  • SECURITY.md documents all vulnerabilities, fixes, and deployment recommendations

Example

Before:

app.config["SECRET_KEY"] = "whack-a-mole-secret-key"  # Visible in source
socketio = SocketIO(app, cors_allowed_origins="*")   # Any origin allowed

@socketio.on("submit_score")
def handle_submit_score(data):
    name = data.get("name", "Anonymous")  # No sanitization
    high_scores.append({"name": name[:10], ...})  # XSS vulnerable

After:

app.config["SECRET_KEY"] = os.environ.get("SECRET_KEY", os.urandom(24).hex())
allowed_origins = os.environ.get("ALLOWED_ORIGINS", "*").split(",")
socketio = SocketIO(app, cors_allowed_origins=allowed_origins)

@socketio.on("submit_score")
def handle_submit_score(data):
    if not isinstance(data, dict): return
    name = _sanitize_name(data.get("name"))  # Strips <script> tags
    if not _validate_score(score, game_state): return

Environment Variables

Variable Purpose Default
SECRET_KEY Session encryption key Random (insecure)
ALLOWED_ORIGINS CORS whitelist * (dev only)
FLASK_DEBUG Enable unsafe Werkzeug false

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Dec 31, 2025
Merged
@IanDTM IanDTM marked this pull request as ready for review December 31, 2025 18:32
@IanDTM IanDTM requested a review from Copilot December 31, 2025 18:32
Copilot AI reviewed Dec 31, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Copilot AI and others added 2 commits December 31, 2025 18:39
@IanDTM
Fix critical security vulnerabilities: hardcoded secrets, CORS, XSS, …
3805b20 
…input validation

- Replace hardcoded SECRET_KEY with environment variable
- Make CORS origins configurable via ALLOWED_ORIGINS env var
- Add input sanitization for player names to prevent XSS
- Implement score validation to prevent cheating
- Add strict input validation for WebSocket handlers
- Make unsafe Werkzeug conditional on debug mode
- Add comprehensive security documentation

Co-authored-by: IanDTM <8480521+IanDTM@users.noreply.github.com>
@IanDTM
Address code review feedback: improve security validations
62802ed 
- Add MAX_SCORE_MULTIPLIER constant for better maintainability
- Add input validation for submit_score data parameter
- Support both 'true' and '1' for FLASK_DEBUG environment variable

Co-authored-by: IanDTM <8480521+IanDTM@users.noreply.github.com>
Copilot AI changed the title [WIP] Improve backend code quality and maintainability Fix critical security vulnerabilities: secrets, CORS, XSS, input validation Dec 31, 2025
Copilot AI requested a review from IanDTM December 31, 2025 18:43
@IanDTM IanDTM merged commit 55fc8ba into ruff-test Dec 31, 2025
@IanDTM IanDTM deleted the copilot/sub-pr-4 branch December 31, 2025 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@IanDTM IanDTM IanDTM approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@IanDTM IanDTM

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IanDTM