Add Flask web service with shipping and transaction APIs#2
Add Flask web service with shipping and transaction APIs#2
Conversation
…tion This update adds Flask-based REST API endpoints to support: - Health check monitoring - Shipment tracking via external shipping APIs - Banking transaction verification New dependencies: - Flask 2.0.0 - Web framework for REST API - Jinja2 3.0.0 - Template engine (Flask dependency) - Downgraded requests to 2.25.0 for compatibility The application now supports two modes: - CLI mode (default): python app.py - Web service mode: python app.py web API endpoints demonstrate integration with external services using the requests library for HTTP communication with shipping and banking verification APIs.
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| requests==2.31.0 | ||
| requests==2.25.0 | ||
| Flask==2.0.0 | ||
| Jinja2==3.0.0 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | jinja2 |
| Dependency Paths | jinja2 3.0.0 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-cpwx-vrp4-4pq7 | CVE-2025-27516 | MEDIUM | 3.1.6 |
| GHSA-gmj6-6f8f-6699 | CVE-2024-56201 | MEDIUM | 3.1.5 |
| GHSA-q2x7-8rv6-6q7h | CVE-2024-56326 | MEDIUM | 3.1.5 |
| GHSA-h75v-3vvj-5mfj | CVE-2024-34064 | MEDIUM | 3.1.4 |
| GHSA-h5c8-rqwp-cp95 | CVE-2024-22195 | MEDIUM | 3.1.3 |
Highest fixed version: 3.1.6
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| requests==2.25.0 | ||
| Flask==2.0.0 | ||
| Jinja2==3.0.0 | ||
| Werkzeug==2.0.3 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | werkzeug |
| Dependency Paths | werkzeug 2.0.3 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-hrfv-mqp8-q5rw | CVE-2023-46136 | MEDIUM | 2.3.8 |
| GHSA-xg9f-g7g7-2323 | CVE-2023-25577 | HIGH | 2.2.3 |
| GHSA-px8h-6qxv-m22q | CVE-2023-23934 | LOW | 2.2.3 |
| GHSA-q34m-jh98-gwm2 | CVE-2024-49767 | MEDIUM | 3.0.6 |
| GHSA-f9vj-2wh5-fj8j | CVE-2024-49766 | MEDIUM | 3.0.6 |
| GHSA-2g68-c3qc-8985 | CVE-2024-34069 | HIGH | 3.0.3 |
Highest fixed version: 3.0.6
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| @@ -1,4 +1,7 @@ | |||
| requests==2.31.0 | |||
| requests==2.25.0 | |||
| Flask==2.0.0 | |||
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | flask |
| Dependency Paths | flask 2.0.0 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-m2qf-hxjv-5gpq | CVE-2023-30861 | HIGH | 2.2.5 |
Highest fixed version: 2.2.5
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| # Simulate calling external shipping API | ||
| # This demonstrates reachability - the vulnerable requests library is actively used | ||
| api_url = f"https://api.shipping-service.example.com/track/{tracking_id}" | ||
| response = requests.get(api_url, timeout=5) |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized user input in HTTP request (SSRF)'.
Severity: High
Description
Your application is vulnerable to Server-Side Request Forgery (SSRF) attacks when it connects to URLs that include user-supplied data. This vulnerability occurs because attackers can manipulate these URLs to force your application to make unintended requests to internal or external resources.
Cycode Remediation Guideline
✅ Do
- Do validate or map user input against a predefined list of safe values before using it to form URLs. This approach ensures that the application only connects to intended and safe locations.
host = "api1.com" if request.GET["host"] == "option1" else "api2.com" urllib.request.urlopen(f"https://{host}")
❌ Don't
- Do not directly include user input in HTTP URLs. This practice can lead to SSRF vulnerabilities, where attackers exploit the application to send requests to unintended destinations.
host = request.GET["host"] urllib.request.urlopen(f"https://{host}") # unsafe
📋 References
| import sys | ||
| if len(sys.argv) > 1 and sys.argv[1] == 'web': | ||
| print(f"{Fore.GREEN}Starting Maritime Web Service...{Style.RESET_ALL}") | ||
| app.run(debug=True, host='0.0.0.0', port=5000) |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Usage of Flask debug mode'.
Severity: Medium
Description
Enabling Flask's debug mode exposes sensitive internal information through detailed error messages, stack traces, and the interactive Werkzeug debugger. This can allow attackers to discover application internals, leak environment variables, or even execute arbitrary code.
Cycode Remediation Guideline
✅ Do
- Do ensure
debugmode is disabled in all production deployments of Flask applications. - Do use environment-specific configuration files or variables to control debug mode, keeping sensitive configurations out of source code.
- Do explicitly set
debug=False:
from flask import Flask
app = Flask(__name__)
app.run(debug=False)❌ Don't
- Do not set debug mode
Truein code that is deployed.
from flask import Flask
app = Flask(__name__)
app.run(debug=True) # This should be avoided- Do not rely on default Flask settings—always explicitly set debug mode off.
📋 References
…ed to version 2.32.4
1 participant
Summary
This PR adds Flask-based REST API capabilities to the Maritime application to support shipping logistics and
banking transaction verification workflows.
Changes
New Features
Dependencies Added
Reachability Demonstration
The requests library is actively used in:
This demonstrates real-world usage patterns where vulnerable dependencies are actively invoked in critical code
paths.
Testing Note
Dependencies have been added to support future web service functionality. The application maintains backward
compatibility with CLI mode.