Skip to content

fix: escape input before returning #4810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 18 commits into from
Closed

fix: escape input before returning #4810

wants to merge 18 commits into from

Conversation

mohamedzeidan2021
Copy link
Contributor

Issue #, if available:

Description of changes:
Fixing the potential cross site scripting vulnerability by escaping the input using flasks escape function before returning the request data in the case that the request fails.

Testing done:
The code scanning vulnerability disappeared in my fork once the fix was implemented.

Merge Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.

General

  • [x ] I have read the CONTRIBUTING doc
  • [x ] I certify that the changes I am introducing will be backward compatible, and I have discussed concerns about this, if any, with the Python SDK team
  • [ x] I used the commit message format described in CONTRIBUTING
  • I have passed the region in to all S3 and STS clients that I've initialized as part of this change.
  • I have updated any necessary documentation, including READMEs and API docs (if appropriate)

Tests

  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have added unit and/or integration tests as appropriate to ensure backward compatibility of the changes
  • I have checked that my tests are not configured for a specific region or account (if appropriate)
  • I have used unique_name_from_base to create resource names in integ tests (if appropriate)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mohamedzeidan2021
feat: added code scanning through CodeQL
2ac737d 
Delete .github/workflows/security-monitoring.yml
@mohamedzeidan2021 mohamedzeidan2021 requested a review from a team as a code owner July 29, 2024 19:19
@mohamedzeidan2021 mohamedzeidan2021 requested a review from ptkab July 29, 2024 19:19
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 29, 2024
View reviewed changes
tests/data/marketplace/iris/scoring_logic.py
@@ -106,4 +106,4 @@

return response
except Exception as e:
return f"Error during model invocation: {str(e)} for input: {request.get_data()}"
return f"Error during model invocation: {str(e)} for input: {escape(request.get_data())}"

Check warning

Code scanning / CodeQL

Information exposure through an exception

[Stack trace information](1) flows to this location and may be exposed to an external user.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 30, 2024
View reviewed changes
src/sagemaker/config/config_utils.py
config_value,
source_value,
config_value_log_copy,
source_value_log_copy,

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text. This expression logs [sensitive data (secret)](2) as clear text. This expression logs [sensitive data (secret)](3) as clear text. This expression logs [sensitive data (secret)](4) as clear text.
src/sagemaker/config/config_utils.py
config_value,
source_value,
config_value_log_copy,
source_value_log_copy,

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text. This expression logs [sensitive data (secret)](2) as clear text. This expression logs [sensitive data (secret)](3) as clear text. This expression logs [sensitive data (secret)](4) as clear text.
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 2, 2024
View reviewed changes
makungaj1 and others added 12 commits August 2, 2024 11:54
@makungaj1 @mohamedzeidan2021
fix: ModelBuilder not passing HF_TOKEN to model. (#4780)
00078fc 
* Follow-ups fixes

* Refactoring

* Unit tests

* refactoring

* Refactoring

* Refactoring

---------

Co-authored-by: Jonathan Makunga <[email protected]>
@mohamedzeidan2021
prepare release v2.226.0
ce552a7
@mohamedzeidan2021
update development version to v2.226.1.dev0
7ee239e
@selvask-aws @mohamedzeidan2021
Fix: Adding application/octet-stream to content type #4772 (#4781)
fd59dc8
@mohamedzeidan2021
prepare release v2.226.1
cefc281
@mohamedzeidan2021
update development version to v2.226.2.dev0
00edac0
@tejaschumbalkar @mohamedzeidan2021
add support for new regions (#4792)
bd26655
@sagemaker-bot @mohamedzeidan2021
change: update image_uri_configs 07-16-2024 07:17:45 PST
c385bf9
@sagemaker-bot @mohamedzeidan2021
change: update image_uri_configs 07-17-2024 07:17:38 PST
e4341e8
@sagemaker-bot @mohamedzeidan2021
change: update image_uri_configs 07-22-2024 11:53:54 PST
767471b
@Captainia @mohamedzeidan2021
chore: add huggingface TGI 2.2.0 config (#4795)
01b5d1e
@malav-shastri @sage-maker @mohamedzeidan2021
fix: explicitly access enum member values to avoid Python version rel…
4a9efa6 
…ated regression (#4798)

Co-authored-by: Malav Shastri <[email protected]>
Co-authored-by: sage-maker <[email protected]>
@mohamedzeidan2021 mohamedzeidan2021 closed this by deleting the head repository Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptkab ptkab Awaiting requested review from ptkab ptkab is a code owner automatically assigned from aws/sagemaker-ml-frameworks

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@mohamedzeidan2021 @makungaj1 @selvask-aws @tejaschumbalkar @sagemaker-bot @Captainia @malav-shastri @benieric