Code cleanups and security improvements

.github/dependabot.yml

@@ -0,0 +1,32 @@
+version: 2
+
+# Security sensitive updates (ie: upgrades which fix vulnerabilities)
+# aren't affected by any filtering we define below so this is
+# purely to do with keeping dependencies compatible and supported.
+updates:
+
+# These entries are for our development dependencies
+# which we want to keep up to date but only really
+# care about major versions for supportability.
+- package-ecosystem: "github-actions"
+  directory: "/.github/workflows"
+  schedule:
+    interval: "daily"
+  ignore:
+  - dependency-name: "*"
+    update-types:
+    - "version-update:semver-minor"
+    - "version-update:semver-patch"
+
+- package-ecosystem: "uv"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  allow:
+  - dependency-type: "direct"
+  - dependency-type: "indirect"
+  ignore:
+  - dependency-name: "*"
+    update-types:
+    - "version-update:semver-minor"
+    - "version-update:semver-patch"

.github/workflows/pytest.yml

@@ -0,0 +1,28 @@
+name: Run Pytest
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pytest
+
+    - name: "Run tests"
+      run: |
+        pytest tests/

.github/workflows/ruff.yml

@@ -0,0 +1,18 @@
+name: CI
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Install Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff
+      # Update output format to enable automatic inline annotations.
+      - name: Run Ruff
+        run: ruff check --output-format=github .

.github/workflows/typing.yml

@@ -0,0 +1,27 @@
+name: Validate Python Typing (Experimental)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  type-check:
+    runs-on: ubuntu-latest
+    continue-on-error: true  # Allow graceful failure
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install mypy types-PyMySQL types-requests types-Authlib
+
+    - name: Run mypy type checks
+      run: mypy .
+

README.md

@@ -99,6 +99,9 @@ GITHUB_CLIENT_SECRET=github_client_secret_from_oauth_app
 FLASK_SECRET_KEY=any_random_key
 ```
 
+### 10. Local Development instance:
+`uv run -m src.app.fileset`
+
 ## Deployment Guide
 The Flask application is deployed using `mod_wsgi`, an Apache module for hosting WSGI applications.  
 Assuming Apache and mod_wsgi are already installed:
@@ -183,3 +186,4 @@ http://localhost:5000/validate
 ```
 with the request body in JSON format as shown in `sample_json_request.json` present in the root directory.
 
+

src/app/fileset.py

@@ -1,3 +1,13 @@
+from collections import defaultdict
+from datetime import timedelta
+import html as html_lib
+import json
+import os
+import re
+import urllib.parse
+
+import difflib
+
 from flask import (
     Flask,
     request,
@@ -10,20 +20,14 @@
     session,
 )
 
-
 import requests
-from datetime import timedelta
-import json
-import html as html_lib
-import os
+
 from src.app.pagination import create_page
-import difflib
 
 import src.app.env_loader  # noqa
 from src.scripts.db_functions import (
     insert_game,
     get_all_related_filesets,
-    convert_log_text_to_links,
     user_integrity_check,
     create_log,
     delete_original_fileset,
@@ -32,7 +36,6 @@
     insert_filechecksum,
 )
 from src.utils.db_config import db_connect, db_connect_root
-from collections import defaultdict
 from src.scripts.schema import init_database
 from src.app.validate_user_payload import validate_user_payload
 from src.utils.cookie import get_filesets_per_page, get_logs_per_page
@@ -126,6 +129,21 @@ def clear_database():
     return redirect("/")
 
 
+def convert_log_text_to_links(log_text):
+    log_text = re.sub(
+        r"Fileset:(\d+)", r'<a href="/fileset?id=\1">Fileset:\1</a>', log_text
+    )
+    log_text = re.sub(
+        r"user:(\w+)", r'<a href="/log?search=user:\1">user:\1</a>', log_text
+    )
+    log_text = re.sub(
+        r"Transaction:(\d+)",
+        r'<a href="/transaction?id=\1">Transaction:\1</a>',
+        log_text,
+    )
+    return log_text
+
+
 @app.route("/fileset", methods=["GET", "POST"])
 @role_required("Admin", "Moderator", "Read Only")
 def fileset():
@@ -511,7 +529,8 @@ def fileset():
             for column in sortable_columns:
                 if column not in ["id"]:
                     vars = "&".join(
-                        [f"{k}={v}" for k, v in request.args.items() if k != "sort"]
+                        f"{urllib.parse.quote_plus(str(k))}={urllib.parse.quote_plus(str(v))}"
+                        for k, v in request.args.items() if k != "sort"
                     )
                     sort_link = f"{column}"
                     if sort == column:
@@ -599,7 +618,7 @@ def fileset():
                         )
                         log_text = cursor.fetchone()["text"]
                         log_text = convert_log_text_to_links(log_text)
-                        html += f"<td><a href='logs?id={h['log']}'>Log {h['log']}</a>: {log_text}</td>\n"
+                        html += f"<td><a href='logs?id={html_lib.escape(h['log'])}'>Log {html_lib.escape(h['log'])}</a>: {html_lib.escape(log_text)}</td>\n"
                     else:
                         html += "<td>No log available</td>\n"
                     html += "</tr>\n"
@@ -614,7 +633,7 @@ def fileset():
                     cursor.execute("SELECT `text` FROM log WHERE id = %s", (h["log"],))
                     log_text = cursor.fetchone()["text"]
                     log_text = convert_log_text_to_links(log_text)
-                    html += f"<td><a href='logs?id={h['log']}'>Log {h['log']}</a>: {log_text}</td>\n"
+                    html += f"<td><a href='logs?id={html_lib.escape(h['log'])}'>Log {html_lib.escape(h['log'])}</a>: {html_lib.escape(log_text)}</td>\n"
                 else:
                     html += "<td>No log available</td>\n"
                 html += "</tr>\n"