Release/2.0.x - Arches 8.0.x, Vue/Workflow components#105
Release/2.0.x - Arches 8.0.x, Vue/Workflow components#105
Conversation
* Added vite dependency, rough out working version (routes.ts needs rework). * Refining structures for asset resolution * Add step 10, refine layout * Fix TS issues, remove BCRHP-specific references, unused login/logout calls. Add ESLint/Prettier config rules. * Add missing prettier plugin * Add missing prettier vue plugin * Fix bad globals value * Fix eslint issues Remove unused python version from feature branch build * Fix black formatting
Docker Containers: add component-lab to docker containers, don't build webpack container by default, install vim by default run prettier on all javascript files
… reason for creating the copy.
* Interim commit of adding MapLibre simple view map. Adds bcap shim for maplibre, fixing underscore and jquery global timing * Move map from bcap to bcgov-arches-common * Fix prettier issues and align config * Pull resource map styling from resource model config * Resolve TS errors * Remove captcha from installed apps * Fix dependencies * Fix dependencies * Temporarily disable ts:check from build_development to push to dlvr Try to resolve some TS issues * Interim TS errors fix * Interim TS errors fix * Updates for v8 * Fix missing fs during build_test GH workflow * Update vitest config & setup for v8 * Allow Arches from URLs * Bump Postgres service version in GH workflow * Fix TS errors
* Audit log * Update imports * Run prettier
* Move edit log view to bcgov-arches-common * Filter Nodes by active graph, remove debug statements * Move generic edit log components to common app, reorder URL structure, rename url parameter to make explicit * Fix prettier issue * Create API to fetch logs, make component names specific, make graph slug optional, rework URL * Add generated edit log python tests * Add generated edit log frontend api tests * Fix TS errors * Add visible attriute to column defs, make Edit Log toggleable (show / hide)
…nused api import and function
…ist data (#58) Bypassing to fix bcfms CI * Add file-list datatype, persist files in workflow, fix project documents shape in schema * Add generated unit test
* Fix HTML rendering * Run prettier
* Go to Audit Log button * Fix shadowing issue in Arches
* Change source of PMBC data to ParcelMap BC Parcel Fabric * Fix returned coordinate system
* Removed invalid BCRHP namespace, add TS type to date zod schema * Fix TS error
* explicit any TS fix * added GeoJSONFeature type and replaced anys
* Add OAUTH2 provider support and featuresrv proxy support * Bump arches core requirement * Make outbound proxy configurable in settings and eliminate duplicate proxy class * Don't log user out if they have a valid BCAP-provided OAuth to token. * Add test to bump coverage --------- Co-authored-by: Aaron Gundel <124614+aarongundel@users.noreply.github.com>
* Rough out BCRHP postal code validation fix * moved getBCPostalCodeRequiredSchema into zod * Fixing TS errors * Fixing prettier format errors --------- Co-authored-by: Philip Hansen <philip.pt.hansen@gmail.com>
Merging, although we should try to replace some of this logic with the OOB zod functions.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
bferguso
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "pid": pid, | ||
| }, |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to avoid including raw exception messages (str(e)) in responses returned to clients. Instead, log the detailed exception (possibly with a stack trace) on the server, and return a generic, user-friendly message that does not reveal implementation details.
For this specific file, we should update the except urllib3.exceptions.HTTPError as e: and except urllib3.exceptions.RequestError as e: handlers. Both currently log str(e) and also embed str(e) into the JSON response sent to the user. We can keep the detailed logging exactly as-is (or even improve it later), but change the JsonResponse payloads to use generic messages like "Error fetching data from external API" and "Request error while fetching data from external API", without interpolating str(e). That ensures no exception/stack-trace-like content is exposed, while preserving the existing HTTP status codes and overall behavior.
Concretely:
- In
bcgov_arches_common/views/api/pmbc.py, in thePMBCDataView.getmethod:- At lines 99–102, replace the
"error"field fromf"Error fetching data from external API: {str(e)}"to a static string withoutstr(e). - At lines 112–113, similarly replace
f"Error fetching data from external API: {str(e)}"with a static message, e.g."Error fetching data from external API".
- At lines 99–102, replace the
- No new imports or helper functions are needed; we only adjust the JSON content.
| @@ -97,7 +97,7 @@ | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "error": "Error fetching data from external API", | ||
| "pid": pid, | ||
| }, | ||
| status=500, | ||
| @@ -109,7 +109,7 @@ | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "error": "Error fetching data from external API", | ||
| "pid": pid, | ||
| }, | ||
| status=500, |
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "pid": pid, | ||
| }, |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to stop including raw exception messages (str(e)) in HTTP responses and instead return generic, user-safe messages. Detailed error information should be logged on the server (as is already being done with logger.error(...)) but not exposed to clients.
The best targeted fix here is to adjust the error JSON in the problematic except blocks so that:
- The log messages remain unchanged and can still include
str(e). - The response body uses a generic description (for example:
"Error fetching data from external API"or"An internal error occurred while contacting the external service") that does not includestr(e).
Concretely, in bcgov_arches_common/views/api/pmbc.py within PMBCDataView.get:
- Update the
except urllib3.exceptions.HTTPError as eblock to removestr(e)from the response JSON, keeping it only in the log. - Update the
except urllib3.exceptions.RequestError as eblock (the one flagged on line 111) similarly, replacing"error": f"Error fetching data from external API: {str(e)}"with a generic fixed string. - Update the general
except Exception as eblock to avoid returningstr(e)to the user as"Unexpected error: {str(e)}", and use a generic message instead.
No new methods or imports are needed: logging and JsonResponse are already imported, and logging calls already exist. We only alter the error message strings inside the JSON responses.
| @@ -97,7 +97,7 @@ | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "error": "Error fetching data from external API", | ||
| "pid": pid, | ||
| }, | ||
| status=500, | ||
| @@ -109,7 +109,7 @@ | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Error fetching data from external API: {str(e)}", | ||
| "error": "Error fetching data from external API", | ||
| "pid": pid, | ||
| }, | ||
| status=500, | ||
| @@ -128,7 +128,7 @@ | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Unexpected error: {str(e)}", | ||
| "error": "An unexpected internal error occurred", | ||
| "pid": pid, | ||
| }, | ||
| status=500, |
| { | ||
| "error": f"Unexpected error: {str(e)}", | ||
| "pid": pid, | ||
| }, |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, to fix information exposure via exceptions, you should avoid sending raw exception messages or stack traces to the client. Instead, log the detailed error on the server (with stack trace if needed) and return a generic, user-friendly error message that does not reveal internal implementation details.
For this specific code, the best fix is to modify the final except Exception as e: block so that:
- The log call can still include diagnostic detail (optionally using
exc_info=Trueto capture a stack trace on the server). - The
JsonResponsereturned to the client does not interpolatestr(e)and instead uses a generic message such as"An unexpected internal error occurred"(or similar). Thepidfield can safely remain as it is derived from the request and already returned elsewhere.
Concretely:
- In
bcgov_arches_common/views/api/pmbc.py, lines 125–135 (the final catch-allexceptblock) should be updated. - Keep the
logger.errorcall but improve it (e.g.,exc_info=True). - Change the
"error"field in the JSON to a generic string, removingstr(e).
No new imports are strictly required; we can reuse logging and JsonResponse already imported.
| @@ -124,11 +124,12 @@ | ||
|
|
||
| except Exception as e: | ||
| logger.error( | ||
| f"Unexpected error while fetching PMBC data for PID: {pid}: {str(e)}" | ||
| f"Unexpected error while fetching PMBC data for PID: {pid}: {str(e)}", | ||
| exc_info=True, | ||
| ) | ||
| return JsonResponse( | ||
| { | ||
| "error": f"Unexpected error: {str(e)}", | ||
| "error": "An unexpected internal error occurred while fetching PMBC data.", | ||
| "pid": pid, | ||
| }, | ||
| status=500, |
* Bump arches core version * Format release_prep.py
* Allow BCSC usernames in OAuth session control * Allow BCSC & IDIR self registration
* Make Guest default role, make loginSource check case-insensitive * Support BCeID users * Remove/change print statements to log statements
* Deal with REM sizing * Increase message sizes * Change labelled checkbox message sizes * Font fixups * Working through styling issues with integrated workflows * Fix prettier format
* zod update for URL validation * new project cards * Increase test coverage * Fix prettier format * Fix prettier format * Use built-in zod validation for URL nodes and deprecate the string version --------- Co-authored-by: brett <brett@qedsystems.ca>
* Fix URL label attribute name * Add ErrorMessage type
5 participants
Release of arches common for:
Depending on the stability of Arches 8.1.x, released in March 2026, BCRHP & BCFMS should be migrated to 2.1.x.
This supersedes
dev/2.0.x_merge_1.3.0