move out of stock over to wow routes (#33)

* move out of stock over to wow routes

* add semgrep config

* Ensure 'NO_RATE_LIMIT' is correctly cast to boolean

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .semgrep.yml

* Update and rename .semgrep.yml to semgrep.config.yaml

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: cohenaj194

app.py

@@ -758,61 +758,6 @@ def bestdeals():
         )
 
 
-@app.route("/wowoutofstock", methods=["GET", "POST"])
-def wow_outofstock_api():
-    if request.method == "GET":
-        return return_safe_html(render_template("wow_outofstock.html"))
-    elif request.method == "POST":
-        category = int(request.form.get("item_class"))
-        if category == -1:
-            include_cat = []
-        else:
-            include_cat = [category]
-        json_data = {
-            "region": request.form.get("region"),
-            "salesPerDay": float(request.form.get("salesPerDay")),
-            "avgPrice": int(request.form.get("avgPrice")),
-            "minMarketValue": int(request.form.get("minMarketValue")),
-            "populationWP": int(request.form.get("populationWP")),
-            "populationBlizz": int(request.form.get("populationBlizz")),
-            "rankingWP": int(request.form.get("rankingWP")),
-            "includeCategories": include_cat,
-            "excludeCategories": [],
-        }
-
-        response = requests.post(
-            f"{api_url}/wow/outofstock",
-            headers={"Accept": "application/json"},
-            json=json_data,
-        ).json()
-
-        if "data" not in response or len(response["data"]) == 0:
-            logger.error(
-                f"Error no matching data with given inputs {json_data} response {response}"
-            )
-            if NO_RATE_LIMIT:
-                return f"Error no matching data with given inputs {json_data} response {response}"
-            # send generic error message to remove XSS potential
-            return "error no matching results found matching search inputs"
-        response = response["data"]
-
-        for row in response:
-            del row["itemID"]
-            del row["item_class"]
-            del row["item_subclass"]
-            del row["connectedRealmId"]
-            del row["itemQuality"]
-
-        fieldnames = list(response[0].keys())
-
-        return return_safe_html(
-            render_template(
-                "wow_outofstock.html",
-                results=response,
-                fieldnames=fieldnames,
-                len=len,
-            )
-        )
 
 
 @app.route("/petimport", methods=["GET", "POST"])

routes/wow.py

@@ -7,6 +7,7 @@
 
 wow_bp = Blueprint("wow", __name__)
 
+NO_RATE_LIMIT = os.getenv("NO_RATE_LIMIT", "False").lower() in ("true", "1", "yes")
 
 @wow_bp.route("/wow", methods=["GET", "POST"])
 def wow():
@@ -32,3 +33,61 @@ def itemnames():
                 "itemnames.html", results=resp_list, fieldnames=["id", "name"], len=len
             )
         )
+
+
+@wow_bp.route("/wowoutofstock", methods=["GET", "POST"])
+def wow_outofstock_api():
+    if request.method == "GET":
+        return return_safe_html(render_template("wow_outofstock.html"))
+    elif request.method == "POST":
+        category = int(request.form.get("item_class"))
+        if category == -1:
+            include_cat = []
+        else:
+            include_cat = [category]
+        json_data = {
+            "region": request.form.get("region"),
+            "salesPerDay": float(request.form.get("salesPerDay")),
+            "avgPrice": int(request.form.get("avgPrice")),
+            "minMarketValue": int(request.form.get("minMarketValue")),
+            "populationWP": int(request.form.get("populationWP")),
+            "populationBlizz": int(request.form.get("populationBlizz")),
+            "rankingWP": int(request.form.get("rankingWP")),
+            "includeCategories": include_cat,
+            "excludeCategories": [],
+        }
+
+        response = requests.post(
+            f"{api_url}/wow/outofstock",
+            headers={"Accept": "application/json"},
+            json=json_data,
+        ).json()
+
+        if "data" not in response or len(response["data"]) == 0:
+            # @coderabbitai will need to move the logger function over so it can be used here
+            print(
+                f"Error no matching data with given inputs {json_data} response {response}"
+            )
+            if NO_RATE_LIMIT:
+                return f"Error no matching data with given inputs {json_data} response {response}"
+            # send generic error message to remove XSS potential
+            return "error no matching results found matching search inputs"
+        response = response["data"]
+
+        for row in response:
+            del row["itemID"]
+            del row["item_class"]
+            del row["item_subclass"]
+            del row["connectedRealmId"]
+            del row["itemQuality"]
+
+        fieldnames = list(response[0].keys())
+
+        return return_safe_html(
+            render_template(
+                "wow_outofstock.html",
+                results=response,
+                fieldnames=fieldnames,
+                len=len,
+            )
+        )

semgrep.config.yaml

@@ -0,0 +1,42 @@
+rules:
+- id: nan-injection
+  message: Found user input going directly into typecast for bool(), float(), or complex(). This allows an
+    attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior,
+    particularly when doing comparisons. Either cast to a different type, or add a guard checking for
+    all capitalizations of the string 'nan'.
+  languages:
+  - python
+  severity: ERROR
+  mode: taint
+  pattern-sources:
+  - pattern-either:
+    - pattern: flask.request.$SOMETHING.get(...)
+    - pattern: flask.request.$SOMETHING[...]
+    - patterns:
+      - pattern-inside: |
+          @$APP.route(...)
+          def $FUNC(..., $ROUTEVAR, ...):
+            ...
+      - pattern: $ROUTEVAR
+  pattern-sinks:
+  - pattern-either:
+    - pattern: float(...)
+    - pattern: bool(...)
+    - pattern: complex(...)
+  pattern-sanitizers:
+  - not_conflicting: true
+    pattern: $ANYTHING(...)
+  metadata:
+    references:
+    - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868
+    - https://blog.bitdiscovery.com/2021/12/python-nan-injection/
+    category: security
+    cwe:
+    - 'CWE-704: Incorrect Type Conversion or Cast'
+    technology:
+    - flask
+    subcategory:
+    - vuln
+    impact: MEDIUM
+    likelihood: MEDIUM
+    confidence: MEDIUM