Potential fix for code scanning alert no. 2: Information exposure through an exception #11
Conversation
…ough an exception Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| import io | ||
| import sys | ||
| from contextlib import redirect_stdout, redirect_stderr | ||
| import logging |
Check warning
Code scanning / Pylint (reported by Codacy)
standard import "import logging" should be placed before "from fastapi import FastAPI" Warning
| import io | ||
| import sys | ||
| from contextlib import redirect_stdout, redirect_stderr | ||
| import logging |
Check warning
Code scanning / Pylintpython3 (reported by Codacy)
standard import "import logging" should be placed before "from fastapi import FastAPI" Warning
| return (result.returncode == 0, result.stderr if result.stderr else "") | ||
| except Exception as e: | ||
| return (False, f"Error running {tool}: {str(e)}") | ||
| logging.error(f"Error running {tool}: {str(e)}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| ) | ||
| if not success: | ||
| output += f"\n\n===== {tool} failed =====\n{stderr}" | ||
| logging.error(f"{tool} failed with error: {stderr}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| return apply_optional_passes(str(traced_model.graph), pipeline, dump_each) | ||
| except Exception as e: | ||
| return f"Error generating TorchScript Graph IR: {str(e)}" | ||
| logging.error(f"Error generating TorchScript Graph IR: {str(e)}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| ) | ||
| except Exception as e: | ||
| return f"Error executing user code: {str(e)}" | ||
| logging.error(f"Error executing user code: {str(e)}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| return (result.returncode == 0, result.stderr if result.stderr else "") | ||
| except Exception as e: | ||
| return (False, f"Error running {tool}: {str(e)}") | ||
| logging.error(f"Error running {tool}: {str(e)}") |
Check warning
Code scanning / Prospector (reported by Codacy)
Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning
| ) | ||
| if not success: | ||
| output += f"\n\n===== {tool} failed =====\n{stderr}" | ||
| logging.error(f"{tool} failed with error: {stderr}") |
Check warning
Code scanning / Prospector (reported by Codacy)
Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning
| return apply_optional_passes(str(traced_model.graph), pipeline, dump_each) | ||
| except Exception as e: | ||
| return f"Error generating TorchScript Graph IR: {str(e)}" | ||
| logging.error(f"Error generating TorchScript Graph IR: {str(e)}") |
Check warning
Code scanning / Prospector (reported by Codacy)
Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning
| ) | ||
| except Exception as e: | ||
| return f"Error executing user code: {str(e)}" | ||
| logging.error(f"Error executing user code: {str(e)}") |
Check warning
Code scanning / Prospector (reported by Codacy)
Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning
Potential fix for https://github.com/MrSidims/PytorchExplorer/security/code-scanning/2
To fix the issue, we need to ensure that detailed exception information, such as stack traces, is not exposed to external users. Instead, we should log the detailed error messages on the server for debugging purposes and return a generic error message to the user. This approach protects sensitive information while still allowing developers to diagnose issues.
run_external_opt_tool_file,apply_optional_passes, and other relevant functions to log detailed error messages instead of returning them directly.loggingmodule to log the detailed error messages to a file or console for debugging purposes.Suggested fixes powered by Copilot Autofix. Review carefully before merging.