From df4969be82168af16573f20da1e599a183c694ce Mon Sep 17 00:00:00 2001
From: terrtia <or1994@hotmail.fr>
Date: Fri, 6 Sep 2024 14:32:25 +0200
Subject: [PATCH] chg: [UI] abort 403 and 404

---
 var/www/Flask_server.py                | 12 ++++++++++++
 var/www/blueprints/crawler_splash.py   |  4 ++++
 var/www/blueprints/hunters.py          | 10 +++++++---
 var/www/blueprints/investigations_b.py |  4 ++++
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/var/www/Flask_server.py b/var/www/Flask_server.py
index 7a4ab20b..f468d693 100755
--- a/var/www/Flask_server.py
+++ b/var/www/Flask_server.py
@@ -274,6 +274,14 @@ def _handle_client_error(e):
     else:
         return e
 
+@app.errorhandler(403)
+def error_page_not_found(e):
+    if request.path.startswith('/api/'): ## # TODO: add baseUrl
+        return Response(json.dumps({"status": "error", "reason": "403 Access Denied"}) + '\n', mimetype='application/json'), 403
+    else:
+        # avoid endpoint enumeration
+        return page_forbidden(e)
+
 @app.errorhandler(404)
 def error_page_not_found(e):
     if request.path.startswith('/api/'): ## # TODO: add baseUrl
@@ -289,6 +297,10 @@ def _handle_client_error(e):
     else:
         return e
 
+@login_required
+def page_forbidden(e):
+    return render_template("error/403.html"), 403
+
 @login_required
 def page_not_found(e):
     # avoid endpoint enumeration
diff --git a/var/www/blueprints/crawler_splash.py b/var/www/blueprints/crawler_splash.py
index 6915f2b4..ab8ea152 100644
--- a/var/www/blueprints/crawler_splash.py
+++ b/var/www/blueprints/crawler_splash.py
@@ -51,6 +51,10 @@ def api_validator(message, code):
 
 
 def create_json_response(data, status_code):
+    if status_code == 403:
+        abort(403)
+    elif status_code == 404:
+        abort(404)
     return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
 
 
diff --git a/var/www/blueprints/hunters.py b/var/www/blueprints/hunters.py
index 94c192a9..61473386 100644
--- a/var/www/blueprints/hunters.py
+++ b/var/www/blueprints/hunters.py
@@ -9,7 +9,7 @@ import os
 import sys
 import json
 
-from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response
+from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response, abort
 from flask_login import login_required, current_user
 
 sys.path.append('modules')
@@ -45,6 +45,10 @@ def api_validator(api_response):
         return Response(json.dumps(api_response[0], indent=2, sort_keys=True), mimetype='application/json'), api_response[1]
 
 def create_json_response(data, status_code):
+    if status_code == 403:
+        abort(403)
+    elif status_code == 404:
+        abort(404)
     return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
 
 # ============= ROUTES ==============
@@ -330,7 +334,7 @@ def tracker_edit():
         tracker_uuid = request.args.get('uuid', None)
         res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
         if res:  # invalid access
-            return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
+            return create_json_response(res[0], res[1])
 
         tracker = Tracker.Tracker(tracker_uuid)
         dict_tracker = tracker.get_meta(options={'description', 'level', 'mails', 'filters', 'tags', 'webhooks'})
@@ -446,7 +450,7 @@ def tracker_objects():
     tracker_uuid = request.args.get('uuid', None)
     res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
     if res:  # invalid access
-        return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
+        return create_json_response(res[0], res[1])
 
     tracker = Tracker.Tracker(tracker_uuid)
     meta = tracker.get_meta(options={'description', 'sparkline', 'tags', 'nb_objs'})
diff --git a/var/www/blueprints/investigations_b.py b/var/www/blueprints/investigations_b.py
index a4c08c5f..a30280b7 100644
--- a/var/www/blueprints/investigations_b.py
+++ b/var/www/blueprints/investigations_b.py
@@ -34,6 +34,10 @@ bootstrap_label = Flask_config.bootstrap_label
 
 # ============ FUNCTIONS ============
 def create_json_response(data, status_code):
+    if status_code == 403:
+        abort(403)
+    elif status_code == 404:
+        abort(404)
     return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
 
 # ============= ROUTES ==============