nordabiz

maciejpi/nordabiz

Fork 0

Commit Graph

Author	SHA1	Message	Date
Maciej Pienczyn	e718d96a7d	fix(security): Resolve 1 HIGH and 7 MEDIUM vulnerabilities from code review Some checks are pending NordaBiz Tests / Unit & Integration Tests (push) Waiting to run Details NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions Details NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions Details NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions Details - HIGH: Fix SQL injection in ZOPK knowledge service (3 functions) — replace f-strings with parameterized queries - MEDIUM: Sanitize tsquery/LIKE input in SearchService to prevent injection - MEDIUM: Add @login_required + @role_required(ADMIN) to /health/full endpoint - MEDIUM: Add @role_required(ADMIN) to ZOPK knowledge search API - MEDIUM: Add bleach HTML sanitization on write for announcements, events, board proceedings (stored XSS via \|safe) - MEDIUM: Remove partial API key from Gemini service logs - MEDIUM: Remove @csrf.exempt from chat endpoints, add X-CSRFToken headers in JS - MEDIUM: Add missing CSRF tokens to 3 POST forms (data_request, benefits_form, benefits_list) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-06 05:25:18 +01:00
Maciej Pienczyn	66856a697d	refactor(phase1): Extract blueprints for reports, contacts, classifieds, calendar Phase 1 of app.py refactoring - reducing from ~14,455 to ~13,699 lines. New structure: - blueprints/reports/ - 4 routes (/raporty/) - blueprints/community/contacts/ - 6 routes (/kontakty/) - blueprints/community/classifieds/ - 4 routes (/tablica/) - blueprints/community/calendar/ - 3 routes (/kalendarz/) - utils/ - decorators, helpers, notifications, analytics - extensions.py - Flask extensions (csrf, login_manager, limiter) - config.py - environment configurations Updated templates with blueprint-prefixed url_for() calls. ⚠️ DO NOT DEPLOY before presentation on 2026-01-30 19:00 Tested on DEV: all endpoints working correctly. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-27 10:10:45 +01:00

Author

SHA1

Message

Date

Maciej Pienczyn

e718d96a7d

fix(security): Resolve 1 HIGH and 7 MEDIUM vulnerabilities from code review

NordaBiz Tests / Unit & Integration Tests (push) Waiting to run

Details

NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions

Details

NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions

Details

NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions

Details

- HIGH: Fix SQL injection in ZOPK knowledge service (3 functions) — replace f-strings with parameterized queries
- MEDIUM: Sanitize tsquery/LIKE input in SearchService to prevent injection
- MEDIUM: Add @login_required + @role_required(ADMIN) to /health/full endpoint
- MEDIUM: Add @role_required(ADMIN) to ZOPK knowledge search API
- MEDIUM: Add bleach HTML sanitization on write for announcements, events, board proceedings (stored XSS via |safe)
- MEDIUM: Remove partial API key from Gemini service logs
- MEDIUM: Remove @csrf.exempt from chat endpoints, add X-CSRFToken headers in JS
- MEDIUM: Add missing CSRF tokens to 3 POST forms (data_request, benefits_form, benefits_list)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-06 05:25:18 +01:00

Maciej Pienczyn

66856a697d

refactor(phase1): Extract blueprints for reports, contacts, classifieds, calendar

Phase 1 of app.py refactoring - reducing from ~14,455 to ~13,699 lines.

New structure:
- blueprints/reports/ - 4 routes (/raporty/*)
- blueprints/community/contacts/ - 6 routes (/kontakty/*)
- blueprints/community/classifieds/ - 4 routes (/tablica/*)
- blueprints/community/calendar/ - 3 routes (/kalendarz/*)
- utils/ - decorators, helpers, notifications, analytics
- extensions.py - Flask extensions (csrf, login_manager, limiter)
- config.py - environment configurations

Updated templates with blueprint-prefixed url_for() calls.

⚠️ DO NOT DEPLOY before presentation on 2026-01-30 19:00

Tested on DEV: all endpoints working correctly.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-27 10:10:45 +01:00

2 Commits