Fix: Security Scan Vulnerabilities (#136)

frontend-integration/frontend_app.py

@@ -1,6 +1,7 @@
 from flask import Flask, render_template, request, jsonify
 import requests
 import json
+import os
 
 app = Flask(__name__)
 
@@ -24,7 +25,7 @@ def search_products():
 
         # Call search agent with POST request
         payload = {"query": query}
-        response = requests.post(f"{AGENTS['search']}/search", json=payload)
+        response = requests.post(f"{AGENTS['search']}/search", json=payload, timeout=10)
         response.raise_for_status()
 
         # Agent returns JSON directly
@@ -65,7 +66,7 @@ def get_product_info():
 
         # Call info agent with POST request
         payload = {"barcode": barcode}
-        response = requests.post(f"{AGENTS['info']}/product", json=payload)
+        response = requests.post(f"{AGENTS['info']}/product", json=payload, timeout=10)
         response.raise_for_status()
 
         # Agent returns JSON directly
@@ -128,4 +129,4 @@ def health_check():
     print("Available endpoints:")
     print("- Main interface: http://127.0.0.1:5000")
     print("- Health check: http://127.0.0.1:5000/health")
-    app.run(host='127.0.0.1', port=5000, debug=True) 
+    app.run(host='127.0.0.1', port=5000, debug=os.environ.get('FLASK_DEBUG') == '1')

issue_report_formatted.md

@@ -0,0 +1,38 @@
+### Summary
+A security scan (using Bandit and npm audit) has identified multiple security vulnerabilities across the repository, including a Flask app running in debug mode, vulnerable NPM packages, missing request timeouts, and silent error suppression.
+
+### Steps to reproduce
+1. Run `bandit -r .` in the root of the repository to identify Python issues.
+2. Run `npm install --package-lock-only && npm audit` inside `frontend-integration/frontend-integration` to see JavaScript dependency vulnerabilities.
+
+### Expected behavior
+The repository code should adhere to basic security guidelines:
+- Flask should not be run in debug mode in production-like environments.
+- HTTP requests via the `requests` library should specify a timeout to avoid hangs.
+- Node dependencies should be regularly audited and updated.
+- Exceptions should be properly caught and logged rather than silently ignored.
+
+### Actual behavior
+1. **Flask `debug=True` enabled (High Severity):** `frontend-integration/frontend_app.py:131` runs Flask with `debug=True`, which exposes an interactive debugger potentially allowing Remote Code Execution (RCE).
+2. **Vulnerable NPM Dependencies (High Severity):** `frontend-integration/frontend-integration/package.json` uses outdated versions of `axios`, `next`, and other packages containing known SSRF, DoS, and Prototype Pollution vulnerabilities.
+3. **Missing Request Timeouts (Medium Severity):** `web3/internet-computer/fetch/agent.py` and other agents call `requests.post()` and `requests.get()` without `timeout` parameters, risking denial of service if the endpoint hangs.
+4. **Silent Error Suppression (Low Severity):** `video-to-map-agent/pdf_generator_agent.py` and `video-to-map-agent/weather_monitor_agent.py` globally suppress errors via `except Exception: pass`.
+
+### Affected file or folder path
+`frontend-integration/frontend_app.py`
+`frontend-integration/frontend-integration/package.json`
+`web3/internet-computer/fetch/agent.py`
+`video-to-map-agent/pdf_generator_agent.py`
+
+### Logs / traceback
+```shell
+# Bandit Finding (B201)
+B201 (flask_debug_true) - frontend-integration/frontend_app.py:131
+Severity: HIGH
+
+# NPM Audit
+9 vulnerabilities (4 moderate, 5 high) in frontend-integration/frontend-integration
+```
+
+### Environment
+macOS, Python 3.11, Automated Scanner

video-to-map-agent/pdf_generator_agent.py

@@ -110,8 +110,8 @@ def download_thumbnail(url: str):
         resp = requests.get(url, timeout=10)
         if resp.status_code == 200:
             return BytesIO(resp.content)
-    except Exception:
-        pass
+    except Exception as e:
+        print(f"Error downloading thumbnail: {e}")
     return None
 
 
@@ -174,8 +174,8 @@ def _render_cover_page(pdf: "TravelPDF", msg: PDFRequest) -> None:
             try:
                 pdf.image(img_data, x=55, y=thumb_y, w=100)
                 thumb_y += 60
-            except Exception:
-                pass
+            except Exception as e:
+                print(f"Error embedding thumbnail: {e}")
 
     # intro text
     pdf.set_y(thumb_y + 8)

video-to-map-agent/weather_monitor_agent.py

@@ -58,8 +58,8 @@ def get_daily_forecast(lat: float, lng: float, target_date: str) -> dict:
             )
             if date_str == target_date:
                 return day
-    except Exception:
-        pass
+    except Exception as e:
+        print(f"Error fetching daily forecast: {e}")
     return {}
 
 
@@ -234,9 +234,9 @@ def _append_log_rows(excel_path: str, trip_date: str, per_stop_rows: list) -> No
             row += 1
 
         wb.save(excel_path)
-    except Exception:
+    except Exception as e:
         # Never let excel bookkeeping break the actual monitoring.
-        pass
+        print(f"Error writing to excel: {e}")
 
 
 @agent.on_interval(period=86400.0)