Fixing security issues

fact-bounty-client/package.json

@@ -3,31 +3,31 @@
   "version": "0.1.0",
   "private": true,
   "dependencies": {
-    "@material-ui/core": "^3.9.0",
+    "@material-ui/core": "^3.9.4",
     "@material-ui/icons": "^3.0.2",
-    "axios": "^0.19.0",
-    "bootstrap": "^4.3.1",
-    "classnames": "^2.2.6",
+    "axios": "^0.22.0",
+    "bootstrap": "^4.6.0",
+    "classnames": "^2.3.1",
     "font-awesome": "^4.7.0",
     "is-empty": "^1.2.0",
     "jwt-decode": "^2.2.0",
-    "moment": "^2.24.0",
+    "moment": "^2.29.1",
     "node-sass": "^4.12.0",
-    "prettier": "^1.16.4",
-    "react": "^16.7.0",
-    "react-dom": "^16.7.0",
+    "prettier": "^1.19.1",
+    "react": "^16.14.0",
+    "react-dom": "^16.14.0",
     "react-facebook-login": "^4.1.1",
-    "react-google-login": "^5.0.2",
-    "react-icons": "^3.5.0",
+    "react-google-login": "^5.2.2",
+    "react-icons": "^3.11.0",
     "react-infinite-scroller": "^1.2.4",
-    "react-lines-ellipsis": "^0.14.0",
+    "react-lines-ellipsis": "^0.14.1",
     "react-redux": "^6.0.0",
     "react-router-dom": "^4.3.1",
     "react-scripts": "^2.1.8",
-    "react-swipeable-views": "^0.13.3",
+    "react-swipeable-views": "^0.13.9",
     "recompose": "^0.30.0",
-    "redux": "^4.0.1",
-    "redux-form": "^8.1.0",
+    "redux": "^4.1.1",
+    "redux-form": "^8.3.7",
     "redux-thunk": "^2.3.0",
     "typeface-roboto": "0.0.54"
   },
@@ -49,10 +49,10 @@
   ],
   "devDependencies": {
     "babel-eslint": "9.0.0",
-    "eslint-config-prettier": "^4.1.0",
-    "eslint-plugin-prettier": "^3.0.1",
+    "eslint-config-prettier": "^4.3.0",
+    "eslint-plugin-prettier": "^3.4.1",
     "husky": "^1.3.1",
-    "lint-staged": "^8.1.5"
+    "lint-staged": "^8.2.1"
   },
   "husky": {
     "hooks": {

fact-bounty-client/src/components/ContactUsForm/ContactUsForm.jsx

@@ -63,6 +63,10 @@ class ContactUsForm extends Component {
           />
           <input
             type="number"
+            step="1"
+            min="100000000"
+            minLength="9"
+            maxLength="13"
             name="phone"
             value={phone}
             placeholder="Phone Number"

fact-bounty-flask/.pyre_configuration

@@ -0,0 +1,9 @@
+{
+  "source_directories": [
+    {
+      "import_root": ".",
+      "source": "api"
+    }
+  ],
+  "taint_models_path": "/home/sampath/mis/fact-bounty/env/pysa/lib"
+}

fact-bounty-flask/api/admin/controller.py

@@ -1,14 +1,17 @@
+from __future__ import annotations
 import psutil
 import os
 import time
 from flask import make_response, jsonify
 from flask.views import MethodView
+from flask.wrappers import Response
+from typing import Tuple
 
 PERIOD = 1  # 1 sec
 
 
 class SystemPanel(MethodView):
-    def get(self):
+    def get(self) -> Tuple[Response, int]:
 
         io_data_start = psutil.net_io_counters()
 

fact-bounty-flask/api/app.py

@@ -1,3 +1,4 @@
+from __future__ import annotations
 import os
 
 from flask import Flask
@@ -12,9 +13,11 @@
 from api import admin, user, stories, crawler, util
 from api.config import config
 from api.extensions import db, mail, pagedown, login_manager, migrate, jwt
+from flask.app import Flask
+from typing import Optional
 
 
-def create_app(config_name):
+def create_app(config_name: str) -> Optional[Flask]:
     try:
         # create and configure the app
         app = Flask(
@@ -39,7 +42,7 @@ def create_tables():
         print("Error occured:", err)
 
 
-def register_extensions(app):
+def register_extensions(app) -> None:
     """Register Flask extensions"""
     CORS(app)
     db.init_app(app)
@@ -65,7 +68,7 @@ def register_extensions(app):
     jwt.init_app(app)
 
 
-def register_blueprint(app):
+def register_blueprint(app) -> None:
     """Register Flask blueprints."""
     app.register_blueprint(user.views.userprint, url_prefix="/api/users")
     app.register_blueprint(stories.views.storyprint, url_prefix="/api/stories")
@@ -75,7 +78,7 @@ def register_blueprint(app):
     return None
 
 
-def register_commands(app):
+def register_commands(app) -> None:
     """Register Click commands."""
     app.cli.add_command(commands.test)
     app.cli.add_command(commands.lint)
@@ -85,7 +88,7 @@ def register_commands(app):
     app.cli.add_command(commands.create_admin)
 
 
-def register_shellcontext(app):
+def register_shellcontext(app) -> None:
     """Register shell context objects."""
 
     def shell_context():

fact-bounty-flask/api/commands.py

@@ -1,5 +1,8 @@
 # -*- coding: utf-8 -*-
 """Click commands."""
+from __future__ import annotations
+from typing import Dict, Optional
+
 import os
 from glob import glob
 from subprocess import call
@@ -28,7 +31,7 @@
 """
 
 
-def check(email):
+def check(email) -> bool:
     """
     pass the regualar expression
     and the string in search() method
@@ -46,7 +49,7 @@ def check(email):
     default=False,
     help="Run tests under code coverage.",
 )
-def test(coverage):
+def test(coverage) -> Optional[int]:
     """Run the unit tests."""
     if coverage and not os.environ.get("FLASK_COVERAGE"):
         import subprocess
@@ -83,7 +86,7 @@ def test(coverage):
     is_flag=True,
     help="Fix imports using isort, before linting",
 )
-def lint(fix_imports):
+def lint(fix_imports) -> None:
     """Lint and check code style with flake8 and isort."""
     skip = ["requirements", "venv", "migrations", "__pycache__"]
     root_files = glob("*.py")
@@ -108,7 +111,7 @@ def execute_tool(description, *args):
 
 
 @click.command()
-def clean():
+def clean() -> None:
     """Remove *.pyc and *.pyo files recursively starting at current directory.
 
     Borrowed from Flask-Script, converted to use Click.
@@ -131,7 +134,7 @@ def clean():
     help="Property on Rule to order by (default: rule)",
 )
 @with_appcontext
-def urls(url, order):
+def urls(url, order) -> None:
     """Display all of the url matching routes for the project.
 
     Borrowed from Flask-Script, converted to use Click.
@@ -191,7 +194,7 @@ def urls(url, order):
 
 
 @click.command()
-def deploy():
+def deploy() -> None:
     """
     migrate database to latest revision
     """
@@ -200,7 +203,7 @@ def deploy():
 
 @click.command(name="create_admin")
 @with_appcontext
-def create_admin():
+def create_admin() -> Optional[Dict[str, str]]:
     """
     create an admin user
     """

fact-bounty-flask/api/config.py

@@ -1,4 +1,5 @@
 import os
+from __future__ import annotations
 
 basedir = os.path.abspath(os.path.dirname(__file__))
 
@@ -39,7 +40,7 @@ class Config:
     }
 
     @staticmethod
-    def init_app(app):
+    def init_app(app) -> None:
         pass
 
 
@@ -70,7 +71,7 @@ class ProductionConfig(Config):
     ES_PASSWORD = os.environ.get("ELASTIC_SEARCH_PASSWORD")
 
     @classmethod
-    def init_app(cls, app):
+    def init_app(cls, app) -> None:
         Config.init_app(app)
 
         # email errors to the administrators
@@ -97,7 +98,7 @@ def init_app(cls, app):
 
 class DockerConfig(Config):
     @classmethod
-    def init_app(cls, app):
+    def init_app(cls, app) -> None:
         ProductionConfig.init_app(app)
 
         # log to stderr

fact-bounty-flask/api/crawler/controller.py

@@ -1,12 +1,15 @@
+from __future__ import annotations
 from flask.views import MethodView
 from flask import make_response, request, jsonify, current_app
 import dateutil.parser as dparser
 from datetime import datetime
 from .utils import cron_crawlers
+from flask.wrappers import Response
+from typing import Tuple
 
 
 class SetCronJob(MethodView):
-    def get(self):
+    def get(self) -> Tuple[Response, int]:
         try:
             jobs = []
             for job in current_app.scheduler.get_jobs():
@@ -29,7 +32,7 @@ def get(self):
             }
             return make_response(jsonify(response)), 404
 
-    def post(self):
+    def post(self) -> Tuple[Response, int]:
         try:
             data = request.get_json(silent=True)
 
@@ -51,7 +54,7 @@ def post(self):
             }
             return make_response(jsonify(response)), 404
 
-    def put(self):
+    def put(self) -> Tuple[Response, int]:
         try:
             data = request.get_json(silent=True)
 
@@ -74,7 +77,7 @@ def put(self):
             }
             return make_response(jsonify(response)), 404
 
-    def delete(self):
+    def delete(self) -> Tuple[Response, int]:
         try:
             data = request.get_json(silent=True)
 
@@ -95,7 +98,7 @@ def delete(self):
 
 
 class CrawlByDate(MethodView):
-    def get(self):
+    def get(self) -> Tuple[Response, int]:
         scrapyd = current_app.scrapy
         try:
             data = request.get_json(silent=True)

fact-bounty-flask/api/extensions.py

@@ -1,3 +1,4 @@
+from __future__ import annotations
 from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from flask_migrate import Migrate
@@ -6,6 +7,8 @@
 from flask_sqlalchemy import SQLAlchemy
 from flask import jsonify, make_response
 from api import user
+from flask.wrappers import Response
+from typing import Tuple
 
 db = SQLAlchemy()
 mail = Mail()
@@ -20,20 +23,20 @@
 
 # This method will check if a token is blacklisted, and will be called automatically when blacklist is enabled
 @jwt.token_in_blacklist_loader
-def check_if_token_is_blacklist(decypted_token):
+def check_if_token_is_blacklist(decypted_token) -> bool:
     jti = decypted_token["jti"]
     return user.model.RevokedToken.is_jti_blacklisted(jti)
 
 
 # The following callbacks are used for customizing jwt response/error messages.
 @jwt.expired_token_loader
-def expired_token_callback():
+def expired_token_callback() -> Tuple[Response, int]:
     response = {"message": "The token has expired.", "error": "token_expired"}
     return make_response(jsonify(response)), 401
 
 
 @jwt.invalid_token_loader
-def invalid_token_callback(error):
+def invalid_token_callback(error) -> Tuple[Response, int]:
     # we have to keep the argument here, since it's passed in by the caller internally
     response = {
         "message": "Signature verification failed.",
@@ -43,7 +46,7 @@ def invalid_token_callback(error):
 
 
 @jwt.unauthorized_loader
-def missing_token_callback(error):
+def missing_token_callback(error) -> Tuple[Response, int]:
     response = {
         "message": "Request does not contain an access token.",
         "error": "authorization_required",
@@ -52,7 +55,7 @@ def missing_token_callback(error):
 
 
 @jwt.needs_fresh_token_loader
-def token_not_fresh_callback():
+def token_not_fresh_callback() -> Tuple[Response, int]:
     response = {
         "message": "The token is not fresh.",
         "error": "fresh_token_required",
@@ -61,7 +64,7 @@ def token_not_fresh_callback():
 
 
 @jwt.revoked_token_loader
-def revoked_token_callback():
+def revoked_token_callback() -> Tuple[Response, int]:
     response = {
         "message": "The token has been revoked.",
         "error": "token_revoked",