CodeCow/generative-ai-for-beginners
1
0
Fork 0
mirror of https://github.com/microsoft/generative-ai-for-beginners.git synced 2026-06-05 21:07:14 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
main
generative-ai-for-beginners/05-advanced-prompts/python/aoai-solution.py
Claude 2bdc61d4cd
feat: Add comprehensive security fixes, code quality improvements, and documentation 
Security Fixes (HIGH Severity):
- Fix hardcoded SECRET_KEY in Flask app - now uses environment variable
- Add function validation to prevent arbitrary function execution in JS
- Add path traversal protection in certificate handling
- Fix unsafe JSON parsing with proper error handling

Security Fixes (MEDIUM Severity):
- Add environment variable validation with helpful error messages
- Add request timeouts and proper error handling for HTTP calls
- Fix file handle leaks using context managers
- Add input validation and sanitization for user inputs

Code Quality Improvements:
- Add ESLint configuration for JavaScript/TypeScript linting
- Add Prettier configuration for consistent code formatting
- Add pyproject.toml with Black, Ruff, mypy, and pytest configuration
- Create shared Python utilities module with:
  - env_utils.py: Environment variable handling
  - input_validation.py: Input validation and sanitization
  - api_utils.py: Safe API request wrappers

Documentation:
- Add SECURITY_GUIDELINES.md with best practices for AI applications
- Add ENHANCED_FEATURES_ROADMAP.md with improvement recommendations
  including new lesson topics, API modernization, and CI/CD enhancements

Files Modified:
- 05-advanced-prompts/{python,javascript}/*
- 06-text-generation-apps/{python,js-githubmodels}/*
- 07-building-chat-applications/js-githubmodels/*
- 08-building-search-applications/{js-githubmodels,scripts}/*
- 09-building-image-applications/python/*
- 11-integrating-with-function-calling/{js-githubmodels,typescript}/*
2026-01-21 10:00:28 +00:00

59 lines
2.4 KiB
Python
Raw Permalink Blame History

# here are some suggestions to improve the code:
# - Add input validation to prevent malicious input from being processed by the server. You can use a library like flask-wtf to validate user input and sanitize it before processing.
# - Use environment variables to store sensitive information such as database credentials, API keys, and other secrets. This will prevent the information from being hard-coded in the code and exposed in case of a security breach.
# - Implement error handling to provide meaningful error messages to the user in case of errors. You can use the @app.errorhandler() decorator to handle exceptions and return an error response.
import os
from flask import Flask, render_template_string
from flask_wtf import FlaskForm
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired, Length, Email
from markupsafe import escape
app = Flask(__name__)
# SECURITY: Load secret key from environment variable instead of hardcoding
app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY', os.urandom(32))
class HelloForm(FlaskForm):
name = StringField('Name', validators=[DataRequired(), Length(min=3)])
email = StringField('Email', validators=[DataRequired(), Email()])
submit = SubmitField('Submit')
# Form template with proper CSRF protection and escaping
FORM_TEMPLATE = '''
<!DOCTYPE html>
<html>
<head><title>Hello Form</title></head>
<body>
<form method="POST">
{{ form.hidden_tag() }}
<p>{{ form.name.label }} {{ form.name(size=32) }}
{% for error in form.name.errors %}<span style="color: red;">[{{ error }}]</span>{% endfor %}</p>
<p>{{ form.email.label }} {{ form.email(size=32) }}
{% for error in form.email.errors %}<span style="color: red;">[{{ error }}]</span>{% endfor %}</p>
<p>{{ form.submit() }}</p>
</form>
</body>
</html>
'''
@app.route('/', methods=['GET', 'POST'])
def hello():
form = HelloForm()
if form.validate_on_submit():
# SECURITY: Use escape() to prevent XSS attacks
safe_name = escape(form.name.data)
safe_email = escape(form.email.data)
return f'Hello, {safe_name} ({safe_email})!'
# SECURITY: Use Flask's render_template_string for proper escaping
return render_template_string(FORM_TEMPLATE, form=form)
@app.errorhandler(400)
def bad_request(error):
return 'Bad request', 400
if __name__ == '__main__':
app.run()
Reference in New Issue View Git Blame Copy Permalink