Skip to content

Update app.py #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
singhAws wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update app.py #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
232 changes: 116 additions & 116 deletions app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,116 +1,116 @@
import os

from flask import Flask
from flask_cors import CORS, cross_origin
from random import randrange
import simplejson as json
import boto3
from multiprocessing import Pool
from multiprocessing import cpu_count

app = Flask(__name__)

cors = CORS(app, resources={r"/api/*": {"Access-Control-Allow-Origin": "*"}})

cpustressfactor = os.getenv('CPUSTRESSFACTOR', 1)
memstressfactor = os.getenv('MEMSTRESSFACTOR', 1)
ddb_aws_region = os.getenv('DDB_AWS_REGION')
ddb_table_name = os.getenv('DDB_TABLE_NAME', "votingapp-restaurants")

ddb = boto3.resource('dynamodb', region_name=ddb_aws_region)
ddbtable = ddb.Table(ddb_table_name)

print("The cpustressfactor variable is set to: " + str(cpustressfactor))
print("The memstressfactor variable is set to: " + str(memstressfactor))
memeater=[]
memeater=[0 for i in range(10000)]

## https://gist.github.com/tott/3895832
def f(x):
for x in range(1000000 * int(cpustressfactor)):
x*x

def readvote(restaurant):
response = ddbtable.get_item(Key={'name': restaurant})
# this is required to convert decimal to integer
normilized_response = json.dumps(response)
json_response = json.loads(normilized_response)
votes = json_response["Item"]["restaurantcount"]
return str(votes)

def updatevote(restaurant, votes):
ddbtable.update_item(
Key={
'name': restaurant
},
UpdateExpression='SET restaurantcount = :value',
ExpressionAttributeValues={
':value': votes
},
ReturnValues='UPDATED_NEW'
)
return str(votes)

@app.route('/')
def home():
return "<h1>Welcome to the Voting App</h1><p><b>To vote, you can call the following APIs:</b></p><p>/api/outback</p><p>/api/bucadibeppo</p><p>/api/ihop</p><p>/api/chipotle</p><b>To query the votes, you can call the following APIs:</b><p>/api/getvotes</p><p>/api/getheavyvotes (this generates artificial CPU/memory load)</p>"

@app.route("/api/outback")
def outback():
string_votes = readvote("outback")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("outback", votes)
return string_new_votes

@app.route("/api/bucadibeppo")
def bucadibeppo():
string_votes = readvote("bucadibeppo")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("bucadibeppo", votes)
return string_new_votes

@app.route("/api/ihop")
def ihop():
string_votes = readvote("ihop")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("ihop", votes)
return string_new_votes

@app.route("/api/chipotle")
def chipotle():
string_votes = readvote("chipotle")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("chipotle", votes)
return string_new_votes

@app.route("/api/getvotes")
def getvotes():
string_outback = readvote("outback")
string_ihop = readvote("ihop")
string_bucadibeppo = readvote("bucadibeppo")
string_chipotle = readvote("chipotle")
string_votes = '[{"name": "outback", "value": ' + string_outback + '},' + '{"name": "bucadibeppo", "value": ' + string_bucadibeppo + '},' + '{"name": "ihop", "value": ' + string_ihop + '}, ' + '{"name": "chipotle", "value": ' + string_chipotle + '}]'
return string_votes

@app.route("/api/getheavyvotes")
def getheavyvotes():
string_outback = readvote("outback")
string_ihop = readvote("ihop")
string_bucadibeppo = readvote("bucadibeppo")
string_chipotle = readvote("chipotle")
string_votes = '[{"name": "outback", "value": ' + string_outback + '},' + '{"name": "bucadibeppo", "value": ' + string_bucadibeppo + '},' + '{"name": "ihop", "value": ' + string_ihop + '}, ' + '{"name": "chipotle", "value": ' + string_chipotle + '}]'
print("You invoked the getheavyvotes API. I am eating 100MB * " + str(memstressfactor) + " at every votes request")
memeater[randrange(10000)] = bytearray(1024 * 1024 * 100 * memstressfactor, encoding='utf8') # eats 100MB * memstressfactor
print("You invoked the getheavyvotes API. I am eating some cpu * " + str(cpustressfactor) + " at every votes request")
processes = cpu_count()
pool = Pool(processes)
pool.map(f, range(processes))
return string_votes

if __name__ == '__main__':
app.run(host=os.getenv('IP', '0.0.0.0'), port=int(os.getenv('PORT', 8080)))
app.debug =True
import os
from flask import Flask
from flask_cors import CORS, cross_origin
from random import randrange
import simplejson as json
import boto3
from multiprocessing import Pool
from multiprocessing import cpu_count
app = Flask(__name__)
cors = CORS(app, resources={r"/api/*": {"Access-Control-Allow-Origin": "*"}})
cpustressfactor = os.getenv('CPUSTRESSFACTOR', 1)
memstressfactor = os.getenv('MEMSTRESSFACTOR', 1)
ddb_aws_region = os.getenv('DDB_AWS_REGION')
ddb_table_name = os.getenv('DDB_TABLE_NAME', "votingapp-restaurants")
ddb = boto3.resource('dynamodb', region_name=ddb_aws_region)
ddbtable = ddb.Table(ddb_table_name)
print("The cpustressfactor variable is set to: " + str(cpustressfactor))
print("The memstressfactor variable is set to: " + str(memstressfactor))
memeater=[]
memeater=[0 for i in range(10000)]
## https://gist.github.com/tott/3895832
def f(x):
for x in range(1000000 * int(cpustressfactor)):
x*x
def readvote(restaurant):
response = ddbtable.get_item(Key={'name': restaurant})
Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential NoSQL Injection detected. Untrusted input is being used in a NoSQL database
operation without proper sanitization. NoSQL databases like MongoDB and DynamoDB are not
immune to injection attacks. User input should never be directly interpolated into query
objects or strings. Instead, use parameterized queries, proper sanitization techniques,
or type conversion specific to the NoSQL database you're using. For MongoDB, consider using
ObjectId() for IDs and validated operators. For DynamoDB, use boto3.dynamodb.conditions
classes for safe query construction. Learn more - https://cwe.mitre.org/data/definitions/943.html

Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential NoSQL Injection detected. Untrusted input is being used in a NoSQL database
operation without proper sanitization. NoSQL databases like MongoDB and DynamoDB are not
immune to injection attacks. User input should never be directly interpolated into query
objects or strings. Instead, use parameterized queries, proper sanitization techniques,
or type conversion specific to the NoSQL database you're using. For MongoDB, consider using
ObjectId() for IDs and validated operators. For DynamoDB, use boto3.dynamodb.conditions
classes for safe query construction. Learn more - https://cwe.mitre.org/data/definitions/943.html

# this is required to convert decimal to integer
normilized_response = json.dumps(response)
json_response = json.loads(normilized_response)
votes = json_response["Item"]["restaurantcount"]
return str(votes)
def updatevote(restaurant, votes):
ddbtable.update_item(
Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential NoSQL Injection detected. Untrusted input is being used in a NoSQL database
operation without proper sanitization. NoSQL databases like MongoDB and DynamoDB are not
immune to injection attacks. User input should never be directly interpolated into query
objects or strings. Instead, use parameterized queries, proper sanitization techniques,
or type conversion specific to the NoSQL database you're using. For MongoDB, consider using
ObjectId() for IDs and validated operators. For DynamoDB, use boto3.dynamodb.conditions
classes for safe query construction. Learn more - https://cwe.mitre.org/data/definitions/943.html

Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential NoSQL Injection detected. Untrusted input is being used in a NoSQL database
operation without proper sanitization. NoSQL databases like MongoDB and DynamoDB are not
immune to injection attacks. User input should never be directly interpolated into query
objects or strings. Instead, use parameterized queries, proper sanitization techniques,
or type conversion specific to the NoSQL database you're using. For MongoDB, consider using
ObjectId() for IDs and validated operators. For DynamoDB, use boto3.dynamodb.conditions
classes for safe query construction. Learn more - https://cwe.mitre.org/data/definitions/943.html

Key={
'name': restaurant
},
UpdateExpression='SET restaurantcount = :value',
ExpressionAttributeValues={
':value': votes
},
ReturnValues='UPDATED_NEW'
)
return str(votes)
@app.route('/')
def home():
return "<h1>Welcome to the Voting App</h1><p><b>To vote, you can call the following APIs:</b></p><p>/api/outback</p><p>/api/bucadibeppo</p><p>/api/ihop</p><p>/api/chipotle</p><b>To query the votes, you can call the following APIs:</b><p>/api/getvotes</p><p>/api/getheavyvotes (this generates artificial CPU/memory load)</p>"
@app.route("/api/outback")
def outback():
string_votes = readvote("outback")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("outback", votes)
return string_new_votes
@app.route("/api/bucadibeppo")
def bucadibeppo():
string_votes = readvote("bucadibeppo")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("bucadibeppo", votes)
return string_new_votes
@app.route("/api/ihop")
def ihop():
string_votes = readvote("ihop")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("ihop", votes)
return string_new_votes
@app.route("/api/chipotle")
def chipotle():
string_votes = readvote("chipotle")
votes = int(string_votes)
votes += 1
string_new_votes = updatevote("chipotle", votes)
return string_new_votes
@app.route("/api/getvotes")
def getvotes():
string_outback = readvote("outback")
string_ihop = readvote("ihop")
string_bucadibeppo = readvote("bucadibeppo")
string_chipotle = readvote("chipotle")
string_votes = '[{"name": "outback", "value": ' + string_outback + '},' + '{"name": "bucadibeppo", "value": ' + string_bucadibeppo + '},' + '{"name": "ihop", "value": ' + string_ihop + '}, ' + '{"name": "chipotle", "value": ' + string_chipotle + '}]'
return string_votes
@app.route("/api/getheavyvotes")
def getheavyvotes():
string_outback = readvote("outback")
string_ihop = readvote("ihop")
string_bucadibeppo = readvote("bucadibeppo")
string_chipotle = readvote("chipotle")
string_votes = '[{"name": "outback", "value": ' + string_outback + '},' + '{"name": "bucadibeppo", "value": ' + string_bucadibeppo + '},' + '{"name": "ihop", "value": ' + string_ihop + '}, ' + '{"name": "chipotle", "value": ' + string_chipotle + '}]'
print("You invoked the getheavyvotes API. I am eating 100MB * " + str(memstressfactor) + " at every votes request")
memeater[randrange(10000)] = bytearray(1024 * 1024 * 100 * memstressfactor, encoding='utf8') # eats 100MB * memstressfactor
print("You invoked the getheavyvotes API. I am eating some cpu * " + str(cpustressfactor) + " at every votes request")
processes = cpu_count()
pool = Pool(processes)
Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Problem
This line of code might contain a resource leak. Resource leaks can cause your system to slow down or crash.

Fix
Consider closing the following resource: pool. The resource is allocated by call multiprocessing.Pool. Execution paths that do not contain closure statements were detected. To prevent this resource leak, close pool in a try-finally block or declare it using a with statement.

More info
View details about the with statement in the Python developer's guide (external link).

Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Problem
This line of code might contain a resource leak. Resource leaks can cause your system to slow down or crash.

Fix
Consider closing the following resource: pool. The resource is allocated by call multiprocessing.Pool. Execution paths that do not contain closure statements were detected. To prevent this resource leak, close pool in a try-finally block or declare it using a with statement.

More info
View details about the with statement in the Python developer's guide (external link).

pool.map(f, range(processes))
return string_votes
if __name__ == '__main__':
app.run(host=os.getenv('IP', '0.0.0.0'), port=int(os.getenv('PORT', 8080)))
Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The rule flags the use of host 0.0.0.0 in application configuration, which exposes the server to all network interfaces, potentially including public networks. This configuration poses a security risk by making the application accessible to unauthorized users on the internet. To remediate this issue, bind your application to localhost 127.0.0.1 during development or use a specific, secure IP address in production environments with proper firewall rules and authentication mechanisms.Learn more

Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The rule flags the use of host 0.0.0.0 in application configuration, which exposes the server to all network interfaces, potentially including public networks. This configuration poses a security risk by making the application accessible to unauthorized users on the internet. To remediate this issue, bind your application to localhost 127.0.0.1 during development or use a specific, secure IP address in production environments with proper firewall rules and authentication mechanisms.Learn more

app.debug =True
Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Enabling an application's debug or test feature makes it easier for developers to find bugs, but it also gives attackers access to detailed information about both the system running the application and users. To make your code secure, do not enable the debug or test feature on production servers. For more information, see CWE-489.

Copy link
Owner Author

@singhAws singhAws Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Enabling an application's debug or test feature makes it easier for developers to find bugs, but it also gives attackers access to detailed information about both the system running the application and users. To make your code secure, do not enable the debug or test feature on production servers. For more information, see CWE-489.