Skip to content

Add Flask web service with shipping and transaction APIs #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
levinebw wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add Flask web service with shipping and transaction APIs #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2637156
Add Flask web service for shipping logistics and transaction verifica…
levinebw Oct 27, 2025
1232a8e
Add Werkzeug dependency for Flask compatibility
levinebw Oct 27, 2025
1b381a7
[Cycode] Fix for vulnerable manifest file dependency - requests updat…
cycode-security[bot] Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 37 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
# Maritime Application

A simple Python hello world application for demonstration purposes.
A Python application for maritime shipping logistics and banking transaction verification.

## Features

- Colorful terminal output
- **CLI Mode**: Colorful terminal output with fun facts and timestamps
- **Web Service Mode**: Flask-based REST API for shipping tracking and transaction verification
- Fetches random fun facts from an API
- Displays current timestamp
- Demonstrates usage of external dependencies
- RESTful API endpoints for integration with banking systems

## Dependencies

This application uses the following Python packages:
- `requests` - For making HTTP requests
- `requests` - For making HTTP requests to external APIs
- `Flask` - Web framework for REST API endpoints
- `Jinja2` - Template engine (Flask dependency)
- `colorama` - For colored terminal output
- `python-dateutil` - For enhanced date/time handling

Expand All @@ -31,12 +35,40 @@ pip install -r requirements.txt

## Usage

Run the application:
### CLI Mode (Default)
Run the application in CLI mode:
```bash
python app.py
```

### Web Service Mode
Run the application as a Flask web service:
```bash
python app.py web
```

The web service will start on `http://localhost:5000` with the following endpoints:

- **GET /health** - Health check endpoint
- **GET /api/shipping/track/<tracking_id>** - Track shipment by ID
- **POST /api/verify/transaction** - Verify banking transaction

### Example API Calls

```bash
# Health check
curl http://localhost:5000/health

# Track shipment
curl http://localhost:5000/api/shipping/track/ABC123

# Verify transaction
curl -X POST http://localhost:5000/api/verify/transaction \
-H "Content-Type: application/json" \
-d '{"transaction_id": "TXN-12345", "amount": 100.00}'
```

## Requirements

- Python 3.6 or higher
- Internet connection (for fetching fun facts)
- Internet connection (for fetching fun facts and external API calls)
74 changes: 73 additions & 1 deletion app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,20 @@
"""
Maritime Demo Application
A simple hello world application with external dependencies
Now includes a Flask web service for shipping logistics
"""

import requests
from datetime import datetime
from colorama import Fore, Style, init
from flask import Flask, jsonify, request

# Initialize colorama
init()

# Initialize Flask app
app = Flask(__name__)

def main():
"""Main application entry point"""
# print(f"{Fore.CYAN}=" * 50)
Expand All @@ -37,6 +42,73 @@

print(f"{Fore.LIGHTCYAN_EX}=" * 50)
print(f"{Fore.LIGHTCYAN_EX}=" * 50)

Check failure on line 45 in app.py

View check run for this annotation

Cycode Security / Cycode: SAST

app.py#L45 

Unsanitized user input in HTTP request (SSRF) found
@app.route('/health')
def health():
"""Health check endpoint for maritime services"""
return jsonify({
'status': 'healthy',
'service': 'maritime-logistics',
'timestamp': datetime.now().isoformat()
})

@app.route('/api/shipping/track/<tracking_id>')
def track_shipment(tracking_id):
"""
Track shipment by calling external shipping API
Uses requests library to communicate with third-party services
VULNERABLE: Uses requests 2.25.0 which has CVE-2024-47081
"""
try:
# Simulate calling external shipping API
# This demonstrates reachability - the vulnerable requests library is actively used
api_url = f"https://api.shipping-service.example.com/track/{tracking_id}"
response = requests.get(api_url, timeout=5)
Copy link
Copy Markdown

@cycode-security cycode-security bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized user input in HTTP request (SSRF)'.

Severity: High

Description

Your application is vulnerable to Server-Side Request Forgery (SSRF) attacks when it connects to URLs that include user-supplied data. This vulnerability occurs because attackers can manipulate these URLs to force your application to make unintended requests to internal or external resources.

Cycode Remediation Guideline

✅ Do

  • Do validate or map user input against a predefined list of safe values before using it to form URLs. This approach ensures that the application only connects to intended and safe locations. 
    host = "api1.com" if request.GET["host"] == "option1" else "api2.com"

urllib.request.urlopen(f"https://{host}")

❌ Don't

  • Do not directly include user input in HTTP URLs. This practice can lead to SSRF vulnerabilities, where attackers exploit the application to send requests to unintended destinations. 
    host = request.GET["host"]

urllib.request.urlopen(f"https://{host}") # unsafe

📋 References


return jsonify({
'tracking_id': tracking_id,
'status': 'success',
'message': 'Shipment tracking data retrieved'
})
except Exception as e:
return jsonify({
'tracking_id': tracking_id,
'status': 'error',
'message': str(e)
}), 500

@app.route('/api/verify/transaction', methods=['POST'])
def verify_transaction():
"""
Verify banking transaction by calling external verification service
VULNERABLE: Uses requests library with CVE-2024-47081
This is a critical path for financial transactions
"""
try:
data = request.get_json()
transaction_id = data.get('transaction_id')

# Call external banking verification API
# This uses the vulnerable requests library - demonstrating reachability

Check failure on line 92 in app.py

View check run for this annotation

Cycode Security / Cycode: SAST

app.py#L92 

Usage of Flask debug mode found
verification_url = "https://api.banking-verify.example.com/verify"
response = requests.post(verification_url, json=data, timeout=10)

return jsonify({
'transaction_id': transaction_id,
'verified': True,
'timestamp': datetime.now().isoformat()
})
except Exception as e:
return jsonify({
'error': str(e),
'verified': False
}), 500

if __name__ == "__main__":
main()
# Can run as CLI app or web service
import sys
if len(sys.argv) > 1 and sys.argv[1] == 'web':
print(f"{Fore.GREEN}Starting Maritime Web Service...{Style.RESET_ALL}")
app.run(debug=True, host='0.0.0.0', port=5000)
Copy link
Copy Markdown

@cycode-security cycode-security bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Usage of Flask debug mode'.

Severity: Medium

Description

Enabling Flask's debug mode exposes sensitive internal information through detailed error messages, stack traces, and the interactive Werkzeug debugger. This can allow attackers to discover application internals, leak environment variables, or even execute arbitrary code.

Cycode Remediation Guideline

✅ Do

  • Do ensure debug mode is disabled in all production deployments of Flask applications.
  • Do use environment-specific configuration files or variables to control debug mode, keeping sensitive configurations out of source code.
  • Do explicitly set debug=False:
from flask import Flask
app = Flask(__name__)
app.run(debug=False)

❌ Don't

  • Do not set debug mode True in code that is deployed.
from flask import Flask
app = Flask(__name__)
app.run(debug=True) # This should be avoided
  • Do not rely on default Flask settings—always explicitly set debug mode off.

📋 References

else:
main()
5 changes: 4 additions & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
requests==2.31.0
requests==2.32.4
Flask==2.0.0

Check failure on line 2 in requirements.txt

View check run for this annotation

Cycode Security / Cycode: Vulnerable Dependencies

requirements.txt#L2 

Vulnerability found in dependency found
Copy link
Copy Markdown

@cycode-security cycode-security bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerabilities found in newly introduced dependency.
Ecosystem PyPI
Dependency flask
Dependency Paths flask 2.0.0
Direct Dependency Yes

The following vulnerabilities were introduced:

GHSA CVE Severity Fixed Version
GHSA-m2qf-hxjv-5gpq CVE-2023-30861 HIGH 2.2.5

Highest fixed version: 2.2.5

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

Jinja2==3.0.0

Check failure on line 3 in requirements.txt

View check run for this annotation

Cycode Security / Cycode: Vulnerable Dependencies

requirements.txt#L3 

Vulnerability found in dependency found
Copy link
Copy Markdown

@cycode-security cycode-security bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerabilities found in newly introduced dependency.
Ecosystem PyPI
Dependency jinja2
Dependency Paths jinja2 3.0.0
Direct Dependency Yes

The following vulnerabilities were introduced:

GHSA CVE Severity Fixed Version
GHSA-cpwx-vrp4-4pq7 CVE-2025-27516 MEDIUM 3.1.6
GHSA-gmj6-6f8f-6699 CVE-2024-56201 MEDIUM 3.1.5
GHSA-q2x7-8rv6-6q7h CVE-2024-56326 MEDIUM 3.1.5
GHSA-h75v-3vvj-5mfj CVE-2024-34064 MEDIUM 3.1.4
GHSA-h5c8-rqwp-cp95 CVE-2024-22195 MEDIUM 3.1.3

Highest fixed version: 3.1.6

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

Werkzeug==2.0.3

Check failure on line 4 in requirements.txt

View check run for this annotation

Cycode Security / Cycode: Vulnerable Dependencies

requirements.txt#L4 

Vulnerability found in dependency found
Copy link
Copy Markdown

@cycode-security cycode-security bot Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerabilities found in newly introduced dependency.
Ecosystem PyPI
Dependency werkzeug
Dependency Paths werkzeug 2.0.3
Direct Dependency Yes

The following vulnerabilities were introduced:

GHSA CVE Severity Fixed Version
GHSA-hrfv-mqp8-q5rw CVE-2023-46136 MEDIUM 2.3.8
GHSA-xg9f-g7g7-2323 CVE-2023-25577 HIGH 2.2.3
GHSA-px8h-6qxv-m22q CVE-2023-23934 LOW 2.2.3
GHSA-q34m-jh98-gwm2 CVE-2024-49767 MEDIUM 3.0.6
GHSA-f9vj-2wh5-fj8j CVE-2024-49766 MEDIUM 3.0.6
GHSA-2g68-c3qc-8985 CVE-2024-34069 HIGH 3.0.3

Highest fixed version: 3.0.6

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

colorama==0.4.6
python-dateutil==2.8.2
mcp>=1.0.0