Security fixes

Refactor URL safety check and cleanup unused function and removed debug mode running

Signed-off-by: Shahm Najeeb <Nirt_12023@outlook.com>

Author: DefinetlyNotAI

README.md

@@ -92,7 +92,6 @@ This project is ready to deploy on [Vercel](https://vercel.com) with just a few
     - No need to configure anything manually except ENV VARIABLES:
          - `SECRET_KEY`: Flask Secret Key - Make this strong
          - `DATABASE_URL`: Postgresql access URL - I recommend AIVEN
-         - `FLASK_ENV`: `production` or `development`, production is the default and is more secure using waitress to serve the application, SECURITY RISK
 
 5. **Deploy!**
     - Wait for the build to finish
@@ -116,11 +115,15 @@ This project is ready to deploy on [Vercel](https://vercel.com) with just a few
    ```bash
    pip install -r requirements.txt
    ```
-3. **Start the application**
+3. **Set up the ENV variables**
+   - `SECRET_KEY`: Flask Secret Key - Make this strong
+   - `DATABASE_URL`: Postgresql access URL - I recommend AIVEN
+
+4. **Start the application**
    ```bash
    python app.py
    ```
-4. **Access the application**
+5. **Access the application**
    Open your browser and navigate to `http://localhost:5000`
 
 #### First-time Setup

app.py

@@ -5,7 +5,7 @@
 import uuid
 from datetime import datetime, UTC
 from functools import wraps
-from urllib.parse import urlparse, urljoin
+from urllib.parse import urlparse
 
 import psutil
 import psycopg2
@@ -21,8 +21,6 @@
 # Configuration
 app.config["SECRET_KEY"] = os.environ.get("SECRET_KEY", "EMPTY")
 db_url = os.environ.get("DATABASE_URL", "EMPTY")
-# Options: production or development
-RELEASE_TYPE = os.environ.get('RELEASE_TYPE', 'production')
 
 # We advise to keep this FALSE as it may undermine security and put too much pressure on servers if set to True, admins bypass this
 # Allow access to the endpoint if (overridden if ALLOW_PUBLIC_API_ACCESS = True):
@@ -401,12 +399,6 @@ class SqlQueryForm(Form):
 
 
 # Security Helpers
-def is_safe_url(target):
-    ref_url = urlparse(request.host_url)
-    test_url = urlparse(urljoin(request.host_url, target))
-    return test_url.scheme in ('http', 'https') and ref_url.netloc == test_url.netloc
-
-
 def get_client_ip():
     if request.headers.getlist("X-Forwarded-For"):
         return request.headers.getlist("X-Forwarded-For")[0]
@@ -755,11 +747,6 @@ def login():
                     session['admin'] = True
 
             create_log("Login", f"User {wallet_name} logged in", "Admin")
-
-            # Redirect to a safe URL
-            next_page = request.args.get('next')
-            if next_page and is_safe_url(next_page):
-                return redirect(next_page)
             return redirect(url_for('home'))
 
         return render_template('login.html', error="Invalid credentials")
@@ -2435,7 +2422,4 @@ def initialize_database():
 
 
 if __name__ == '__main__':
-    if RELEASE_TYPE == 'production':
-        serve(app, host='0.0.0.0', port=5000)
-    else:
-        app.run(ssl_context='adhoc', debug=True, port=5000)
+    serve(app, host='0.0.0.0', port=5000)

templates/setup.html

@@ -38,9 +38,6 @@ <h5 class="mb-0">Initialize Bank System</h5>
                         <ul class="mb-0 mt-2">
                             <li><code>SECRET_KEY</code>: Flask Secret Key</li>
                             <li><code>DATABASE_URL</code>: Postgresql access URL</li>
-                            <li><code>FLASK_ENV</code>: <code>production</code> or <code>development</code>, production
-                                is the default and is more secure using waitress to serve the application
-                            </li>
                         </ul>
                     </div>
                 </div>