Two critical issues and several high/medium issues were identified during
a security review of the backend API.
**Critical fixes:**
1. Path traversal (CWE-22): user-supplied `simulation_id`, `report_id`,
and `project_id` values were passed directly to `os.path.join()`
without validation, allowing `../` sequences to escape intended
directories.
- Added `backend/app/utils/id_validator.py` with `validate_safe_id()`
(rejects anything that isn't alphanumeric/underscore/hyphen) and
`safe_join()` (resolves realpath and verifies containment).
- Applied to all 3 path-construction sites in simulation.py, all 12
relevant handlers in report.py, and 6 sites in graph.py.
- Sanitized uploaded filenames with `os.path.basename()` in graph.py.
2. Missing authentication: all API endpoints were publicly accessible
with no auth mechanism.
- Added `backend/app/utils/auth.py` with an `X-Api-Key` middleware
registered as a `before_request` hook.
- Auth is opt-in: set `API_KEY` in `.env` to enforce it; if unset a
startup warning is logged. This preserves local dev workflows.
**High fixes:**
3. Hardcoded `SECRET_KEY` fallback replaced with `os.urandom(32).hex()`
so an unset key is never predictable.
4. `FLASK_DEBUG` now defaults to `False` instead of `True`.
5. Full Python tracebacks removed from all API error responses (51 total
across graph.py, report.py, simulation.py) — tracebacks still go to
the logger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Introduced the Report Agent module to facilitate the automatic generation of simulation analysis reports using LangChain and Zep, following the ReACT model.
- Added functionality for report outline planning, segmented content generation, and user interaction through a dialogue interface.
- Implemented new API endpoints for report generation, status checking, and retrieval, enhancing the overall reporting capabilities.
- Updated README.md to include detailed instructions on the new report generation features and API usage.
- Enhanced the project structure to accommodate the new report management functionalities, including report storage and retrieval mechanisms.
- Added support for a `max_rounds` parameter in simulation API, allowing users to limit the number of simulation rounds, improving control over simulation duration.
- Updated README.md to reflect the new `max_rounds` parameter and its usage in simulation requests.
- Enhanced error handling for `max_rounds` input validation to ensure it is a positive integer.
- Modified simulation runner and related scripts to incorporate `max_rounds` functionality, ensuring consistent application across Twitter and Reddit simulations.
- Improved logging to indicate when the number of rounds is truncated due to the `max_rounds` setting, enhancing traceability during simulation execution.
- Updated README.md to include new simulation scripts and configuration details for OASIS, including API retry mechanisms and environment variable settings.
- Added simulation management and configuration generation services to streamline the simulation process across Twitter and Reddit platforms.
- Introduced new API routes for simulation-related operations, including entity retrieval and simulation status management.
- Implemented a robust retry mechanism for external API calls to improve system stability.
- Enhanced task management model to include detailed progress tracking.
- Added logging capabilities for action tracking during simulations.
- Included new scripts for running parallel simulations and testing profile formats.
Maggie Chen
666ghj