When first establishing my GitHub codeql analysis, I have a few results I do not quite understand and would like to understand why they are considered problems.
Second, I have a medium error "Reflected server-side cross-site scripting" which stems from these lines of code
@app.route("/api/functions/func/<param>")
def function(param):
column_translation_from_table, engine, params, group = utils.get_initial_info(request,databases_and_translations,app.logger)
if param == "avg":
target = value_1
stmt = select([table.c.value_1, table.c.value_2]).where()
results = engine.execute(stmt).fetchall()
df = pd.DataFrame(results, columns=results[0].keys())
try:
output = {
"data": df[target].mean(),
"name": count
}
utils.log_message(request, logger=app.logger, message='data sent successfully', type='info')
except Exception as e:
msg = 'data output unsuccessful' +str(e)
utils.log_message(request, logger=app.logger, message=msg, type='warn')
return json.dumps(output, cls=JSONEncoder)
I do not see how the user input is being taken in any dangerous way in a cross side scripting method.
EDIT
As discussed with Pointy in the comments, the first part of my post(below) likely does not result in any security issues but will be included for reference.
First, the program marked a line
const regex = new RegExp(`(?<![A-Za-z\.])${stateAbbr[i]}(?![A-Za-z\.])`, 'g')
as "Useless regular-expression character escape." I do not see why this is in any way a vulnerability. The function loops through a predetermined list of states abbreviated as 'Ny' into 'NY.' But CodeQL marked this as a high severity issue in the two times it appears.
