Skip to content

Security: Fix DoS risks, patch XXE vulnerability, and add security he… #7222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
walle5eva wants to merge 2 commits into
base: develop
Choose a base branch
from
+48 −15
Open

Security: Fix DoS risks, patch XXE vulnerability, and add security he… #7222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3911b89
Security: Fix DoS risks, patch XXE vulnerability, and add security he…
buildbrickby4eva Apr 13, 2026
cce6d40
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions backend/api/projects/resources.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -575,8 +575,8 @@ def setup_search_dto(request) -> ProjectSearchDTO:
if request.query_params.get("basedOnMyInterests") == "true":
search_dto.based_on_user_interests = authenticated_user_id

except Exception:
pass
except AttributeError as e:
logger.warning("Unable to read authenticated user details: {}", e)

mapping_types_str = request.query_params.get("mappingTypes")
if mapping_types_str:
Expand Down
5 changes: 3 additions & 2 deletions backend/api/system/general.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,8 +255,9 @@ async def release(db: Database = Depends(get_db)):
description: Internal server error
"""
response = requests.get(
"https://api.github.com/repos/hotosm/tasking-manager/releases/latest"
)
"https://api.github.com/repos/hotosm/tasking-manager/releases/latest",
timeout=30,
).json()
try:
tag_name = response.json()["tag_name"]
published_date = response.json()["published_at"]
Expand Down
16 changes: 16 additions & 0 deletions backend/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,22 @@ async def lifespan(app):
docs_url="/api/docs",
)

@_app.middleware("http")
async def add_security_headers(request: Request, call_next):
response = await call_next(request)
# Prevents MIME-sniffing
response.headers["X-Content-Type-Options"] = "nosniff"
# Prevents Clickjacking by restricting framing
response.headers["X-Frame-Options"] = "SAMEORIGIN"
# Basic Content Security Policy
response.headers["Content-Security-Policy"] = (
"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' "
"'unsafe-inline';"
)
# Obscures the specific server software version
response.headers["Server"] = "Tasking-Manager"
return response

# Initialize Sentry only if USE_SENTRY is enabled
if settings.USE_SENTRY:
sentry_sdk.init(
Expand Down
2 changes: 1 addition & 1 deletion backend/models/postgis/project.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ def set_country_info(self):
"Referer": os.environ.get("TM_APP_BASE_URL", "https://example.com"),
}
try:
response = requests.get(url, headers=headers)
response = requests.get(url, headers=headers, timeout=30)
response.raise_for_status()
country_info = response.json() # returns a dict
if country_info["address"].get("country") is not None:
Expand Down
2 changes: 1 addition & 1 deletion backend/services/mapping_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import datetime
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET

from databases import Database
from fastapi import BackgroundTasks
Expand Down
6 changes: 5 additions & 1 deletion backend/services/project_search_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -915,7 +915,11 @@ async def get_projects_geojson(
project.default_locale,
)
except Exception:
pass
logger.exception(
"Failed to load localized project info for project_id={}",
project.id,
)
continue

properties = {
"projectId": project.id,
Expand Down
2 changes: 2 additions & 0 deletions desktop.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[.ShellClassInfo]
LocalizedResourceName=@tasking-manager-develop,0
7 changes: 6 additions & 1 deletion frontend/src/components/header/signUp.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,14 @@
};

const checkFields = () => {
if (data.email.length > 254) {

Check warning on line 91 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

'data.email.length' is missing in props validation 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvl&open=AZ2IFCZpFRSfrDraCvvl&pullRequest=7222

Check warning on line 91 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

'data.email' is missing in props validation 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvk&open=AZ2IFCZpFRSfrDraCvvk&pullRequest=7222
setStep({ ...step, errMessage: <FormattedMessage {...messages.invalidEmail} /> });
return;
}

const re =
// eslint-disable-next-line no-useless-escape
/^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
/^(?=.{1,254}$)(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;

Check warning on line 98 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Simplify this regular expression to reduce its complexity from 37 to the 20 allowed. 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvm&open=AZ2IFCZpFRSfrDraCvvm&pullRequest=7222

Check warning on line 98 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use concise character class syntax '\d' instead of '[0-9]'. 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvp&open=AZ2IFCZpFRSfrDraCvvp&pullRequest=7222

Check warning on line 98 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use concise character class syntax '\d' instead of '[0-9]'. 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvn&open=AZ2IFCZpFRSfrDraCvvn&pullRequest=7222

Check warning on line 98 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use concise character class syntax '\d' instead of '[0-9]'. 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvo&open=AZ2IFCZpFRSfrDraCvvo&pullRequest=7222

Check warning on line 98 in frontend/src/components/header/signUp.js

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use concise character class syntax '\d' instead of '[0-9]'. 


See more on https://sonarcloud.io/project/issues?id=hotosm_tasking-manager&issues=AZ2IFCZpFRSfrDraCvvq&open=AZ2IFCZpFRSfrDraCvvq&pullRequest=7222
if (re.test(data.email) === false) {
setStep({ ...step, errMessage: <FormattedMessage {...messages.invalidEmail} /> });
return;
Expand Down
3 changes: 3 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,6 @@ version_scheme = "pep440"
version_provider = "pep621"
update_changelog_on_bump = true
major_version_zero = true

[tool.bandit]
exclude_dirs = ["tests"]
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ alembic==1.11.1
APScheduler==3.10.1
bleach==6.0.0
cachetools==5.3.1
defusedxml
fastapi==0.108.0
GeoAlchemy2==0.14.3
geojson==3.1.0
Expand Down
2 changes: 1 addition & 1 deletion tests/api/helpers/test_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import json
import logging
import os
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
from typing import Tuple

from backend.exceptions import NotFound
Expand Down
2 changes: 1 addition & 1 deletion tests/api/integration/api/tasks/test_resources.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# tests/api/integration/test_tasks_queries_refactored.py
import base64
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET

import pytest
from httpx import AsyncClient
Expand Down
2 changes: 1 addition & 1 deletion tests/api/integration/services/test_mapping_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import datetime
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
from unittest.mock import patch

from backend.services.project_service import ProjectService
Expand Down
2 changes: 1 addition & 1 deletion tests/backend/helpers/test_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import base64
import json
import os
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
from typing import Tuple

import geojson
Expand Down
3 changes: 2 additions & 1 deletion tests/backend/integration/api/system/test_general.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ def test_post_banner(self):
url = "/api/v2/system/release/"
response = self.client.post(url)
release = requests.get(
"https://api.github.com/repos/hotosm/tasking-manager/releases/latest"
"https://api.github.com/repos/hotosm/tasking-manager/releases/latest",
timeout=30,
).json()
# Assert
self.assertEqual(response.status_code, 201)
Expand Down
2 changes: 1 addition & 1 deletion tests/backend/integration/api/tasks/test_resources.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET

from backend.models.postgis.statuses import TaskStatus, UserRole
from backend.models.postgis.task import Task
Expand Down
2 changes: 1 addition & 1 deletion tests/backend/integration/services/test_mapping_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import datetime
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
from unittest.mock import patch

from backend.models.postgis.task import TaskStatus
Expand Down
Loading