hackucf / onboardlite Goto Github PK

If the size of a payload reaches the DynamoDB maximum size restriction, there is no frontend notification of such a failure. This should be checked for before navigating to another page on the frontend and/or truncated on the backend to an acceptable character limit.

Instead, deserializing the YAML to a Pydantic model and accessing features from there would be cleaner and would also allow for validation over the config in the case of improper inputs.

Probably just a typo at https://github.com/HackUCF/OnboardLite/blob/main/util/approve.py#L47 but http://discordapp.... instead of https://discordapp....

Create a notification module, to handle switching between emails and discord notification and any other notification provider.

All database calls should be abstracted in a different module that should allow easier switching to MongoDB in the future

This was originally found from SemGrep:

    index.py
       python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret
          Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials
          weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate
          security mechanism to protect the credentials (e.g. keeping secrets in environment
          variables)
          Details: https://sg.run/l2E9

          196┆ options.get("jwt").get("secret"),
            ⋮┆----------------------------------------
          196┆ options.get("jwt").get("secret"),

Instead, the JWT secret should be generated each time the app is started (unless there are clustering plans but I don't think that's necessary to plan for atm.

Maybe just generate some long random string using https://docs.python.org/3/library/secrets.html each time the app starts. All sessions are terminated with the application but IMHO this is an easy idea to never have to deal with session secret compromise aside from variable theft during runtime.

on https://github.com/HackUCF/OnboardLite/blob/main/util/approve.py#L62, there's a massive structure to essentially validate a new user.

This is what the pydantic models are for so we can create a new model object with the provided data and then slap a https://docs.pydantic.dev/latest/usage/validators/ on that

After filling out the form at least once, and clicking "Edit" from the "my information" page, if a user has a class standing of "Other" it will be reset to "Freshman" on the edit screen.

https://github.com/HackUCF/OnboardLite/blob/main/util/horsepass.py#L31C19-L31C19 super call is not required as HorsePass does not inherit