Merge branch 'codeql' into alert-autofix-28

End_to_end_Solutions/AOAISearchDemo/app/data/app.py

@@ -65,7 +65,7 @@ def create_chat_session(user_id: str, conversation_id: str):
         return Response(response="A bad request error occurred.", status=400)
     except CosmosConflictError as e:
         logger.exception(f"create-chat-session: error: {e} ", extra=properties)
-        return Response(response="A conflict error occurred.", status=409)
+        return Response(response="Conflict occurred while creating chat session.", status=409)
     except Exception as e:
         logger.exception(f"create-chat-session: error: {e} ", extra=properties)
         return Response(response="An internal server error occurred.", status=500)
@@ -85,8 +85,8 @@ def get_chat_session(user_id: str, conversation_id: str):
         properties = logger.get_updated_properties(addl_dim)
 
         if session is None:
-            logger.info(f"get-chat-session: session with conversation_id {conversation_id} not found", extra=properties)
-            return Response(response=f"Chat session with conversation_id {conversation_id} not found.", status=404)
+            logger.info(f"get-chat-session: session with conversation_id {html.escape(conversation_id)} not found", extra=properties)
+            return Response(response=f"Chat session with conversation_id {html.escape(conversation_id)} not found.", status=404)
         else:
             logger.info("get-chat-session: session found", extra=properties)
             return Response(response=json.dumps(session.to_item()), status=200)
@@ -114,7 +114,7 @@ def check_chat_session(user_id: str, conversation_id: str):
             return Response(response="true", status=200)
     except Exception as e:
         logger.exception(f"check-chat-session: error: {e} ", extra=properties)
-        return Response(response=str(e), status=500)
+        return Response(response="An internal error has occurred.", status=500)
 
 @app.route('/chat-sessions/<user_id>/<conversation_id>', methods=['PUT'])
 def update_chat_session(user_id: str, conversation_id: str):
@@ -148,23 +148,25 @@ def update_chat_session(user_id: str, conversation_id: str):
         return Response(response=json.dumps(session.to_item()), status=200)
     except (TypeError, NullValueError, MissingPropertyError, ValueError) as e:
         logger.exception(f"update-chat-session: error: {e} ", extra=properties)
-        return Response(response=str(e), status=400)
+        return Response(response="An error occurred while processing your request.", status=400)
     except SessionNotFoundError as e:
         logger.exception(f"update-chat-session: error: {e} ", extra=properties)
-        return Response(response=str(e), status=404)
+        return Response(response="Chat session not found.", status=404)
     except Exception as e:
         logger.exception(f"update-chat-session: error: {e} ", extra=properties)
-        return Response(response=str(e), status=500)
+        return Response(response="An internal server error occurred.", status=500)
 
 @app.route('/chat-sessions/<user_id>/<conversation_id>', methods=['DELETE'])
 def clear_chat_session(user_id: str, conversation_id: str):
     try:
         chat_manager.clear_chat_session(user_id, conversation_id)
         return Response(status=200)
     except SessionNotFoundError as e:
-        return Response(response=str(e), status=404)
+        logger.exception(f"clear-chat-session: error: {e} ")
+        return Response(response="Chat session not found.", status=404)
     except Exception as e:
-        return Response(response=str(e), status=500)
+        logger.exception(f"clear-chat-session: error: {e} ")
+        return Response(response="An internal server error occurred.", status=500)
 
 @app.route('/user-profiles/<user_id>', methods=['POST'])
 def create_user_profile(user_id: str):
@@ -185,11 +187,12 @@ def create_user_profile(user_id: str):
         user_profile = entities_manager.create_user_profile(user_id, user_name, description, sample_questions)
         return Response(response=json.dumps(user_profile.to_item()), status=201)
     except (TypeError, NullValueError, MissingPropertyError) as e:
-        return Response(response=str(e), status=400)
+        return Response(response="Invalid request data.", status=400)
     except CosmosConflictError as e:
-        return Response(response=str(e), status=409)
+        return Response(response="Conflict occurred while creating user profile.", status=409)
     except Exception as e:
-        return Response(response=str(e), status=500)
+        logger.exception(f"create-user-profile: error: {e}")
+        return Response(response="An internal server error occurred.", status=500)
 
 @app.route('/user-profiles/<user_id>', methods=['GET'])
 def get_user_profile(user_id: str):
@@ -242,7 +245,8 @@ def get_user_group(group_id: str):
     try:
         user_group = entities_manager.get_user_group(group_id)
         if user_group is None:
-            return Response(response=f"User group with group_id {group_id} not found.", status=404)
+            escaped_group_id = html.escape(group_id)
+            return Response(response=f"User group with group_id {escaped_group_id} not found.", status=404)
         else:
             return Response(response=json.dumps(user_group.to_item()), status=200)
     except Exception as e:
@@ -254,7 +258,7 @@ def get_user_member_groups(user_id: str):
     try:
         user_groups = entities_manager.get_user_member_groups(user_id)
         if user_groups is None:
-            return Response(response=f"User with user_id {user_id} not found.", status=404)
+            return Response(response=f"User with user_id {html.escape(user_id)} not found.", status=404)
         else:
             return Response(response=json.dumps([user_group.to_item_no_users() for user_group in user_groups]), status=200)
     except Exception as e:
@@ -279,7 +283,8 @@ def update_user_group(group_id: str):
     except (TypeError, NullValueError, MissingPropertyError, ValueError) as e:
         return Response(response=str(e), status=400)
     except SessionNotFoundError as e:
-        return Response(response=str(e), status=404)
+        logging.error("Session not found: %s", e, exc_info=True)
+        return Response(response="Session not found.", status=404)
     except Exception as e:
         logging.error("An error occurred while updating user group: %s", e, exc_info=True)
         return Response(response="An internal error has occurred.", status=500)
@@ -310,7 +315,7 @@ def get_resource(resource_id: str):
     try:
         resource = entities_manager.get_resource(resource_id)
         if resource is None:
-            return Response(response=f"Resource with resource_id {resource_id} not found.", status=404)
+            return Response(response=f"Resource with resource_id {html.escape(resource_id)} not found.", status=404)
         else:
             return Response(response=json.dumps(resource.to_item()), status=200)
     except Exception as e:
@@ -322,7 +327,7 @@ def get_user_resources(user_id: str):
     try:
         user_profile = entities_manager.get_user_profile(user_id)
         if user_profile is None:
-            return Response(response=f"User with user_id {user_id} not found.", status=404)
+            return Response(response=f"User with user_id {html.escape(user_id)} not found.", status=404)
         user_groups = entities_manager.get_user_member_groups(user_id)
         resources = permissions_manager.get_user_resources(user_profile, user_groups)
 
@@ -373,7 +378,7 @@ def get_access_rule(rule_id: str):
     try:
         access_rule = permissions_manager.get_access_rule(rule_id)
         if access_rule is None:
-            return Response(response=f"Access rule with rule_id {rule_id} not found.", status=404)
+            return Response(response=f"Access rule with rule_id {html.escape(rule_id)} not found.", status=404)
         else:
             return Response(response=json.dumps(access_rule.to_item()), status=200)
     except Exception as e: