Sync with main #13

nitya · 2025-10-14T07:33:00Z

No description provided.

refresh README, Fix #8

- Configure key-based authentication in cognitiveservices.bicep - Add comprehensive .gitignore for Azure and Python projects - Update README.md with clearer project objectives - Enhance setup script with Bicep authentication modifications - Expand documentation with detailed deployment instructions

added custom template

github-advanced-security · 2025-10-14T07:33:02Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

.azd-setup/src/api/routes.py

+        response = JSONResponse(content=content)
+
+        # Update cookies to persist the thread and agent IDs.
+        response.set_cookie("thread_id", thread_id)


To fix the problem, update the cookie-setting lines (271 and 272) so the cookies are set with secure=True, httponly=True, and samesite='Strict' (or 'Lax', depending on the application's requirements; 'Strict' is safest). This change only affects the arguments to response.set_cookie and does not alter existing functionality, except to make the cookies more resistant to network and script-based attacks. No imports or additional definitions are needed for this, as FastAPI (built atop Starlette) supports these flags directly.

.azd-setup/src/api/routes.py

+
+        # Update cookies to persist the thread and agent IDs.
+        response.set_cookie("thread_id", thread_id)
+        response.set_cookie("agent_id", agent_id)


To fix this problem, set the secure, httponly, and samesite attributes explicitly when calling response.set_cookie for both "thread_id" and "agent_id". This should be done on lines 271 and 272. The best practice is to set secure=True (sent only over HTTPS), httponly=True (not accessible to JS), and samesite='Lax' (prevents CSRF by limiting cross-origin cookie sending). This change should not affect functionality but will ensure cookies are sent safely. No additional imports are needed because the attributes are supported directly by the FastAPI/Starlette API.

.azd-setup/src/api/routes.py

+        logger.info(f"Starting streaming response for thread ID {thread_id}")
+
+        # Create the streaming response using the generator.
+        response = StreamingResponse(get_result(request, thread_id, agent_id, ai_project, app_insights_conn_str, carrier), headers=headers)


To address the information exposure through exception error, we should ensure that details of exceptions are logged on the server, but clients only receive a generic error message. In .azd-setup/src/api/routes.py, inside the get_result generator function, in the exception handling block (lines 221-223), replace str(e) with a fixed, non-revealing string, such as "An internal error has occurred." The logger will still store the full exception (including stack trace) for server-side review.
No new imports or methods are required, since logging is already present. Only the relevant yield serialize_sse_event(...) line needs changing.

.azd-setup/src/api/routes.py

+        response = StreamingResponse(get_result(request, thread_id, agent_id, ai_project, app_insights_conn_str, carrier), headers=headers)
+
+        # Update cookies to persist the thread and agent IDs.
+        response.set_cookie("thread_id", thread_id)


To fix the problem, set the secure, httponly, and samesite flags explicitly when calling response.set_cookie.

secure=True ensures the cookie is only sent over HTTPS.

httponly=True makes the cookie inaccessible to client-side JavaScript.

samesite='Lax' (or 'Strict' if strictest CSRF protection is desired) limits the contexts in which the cookie is sent, mitigating CSRF.

Best fixed by:

In file .azd-setup/src/api/routes.py, lines 349-350, update the set_cookie calls to include: secure=True, httponly=True, samesite='Lax'.

No imports or other code changes are needed, as StreamingResponse.set_cookie supports these parameters directly.

.azd-setup/src/api/routes.py

+
+        # Update cookies to persist the thread and agent IDs.
+        response.set_cookie("thread_id", thread_id)
+        response.set_cookie("agent_id", agent_id)


To fix this issue, both cookie-setting calls on lines 349 and 350 should use secure attributes to protect them. Update each call to response.set_cookie to specify secure=True, httponly=True, and samesite='Strict'. This is accomplished by editing only these lines within the file .azd-setup/src/api/routes.py. No additional imports or restructuring are required. These changes will ensure that these cookies are only sent over HTTPS, are not accessible clientside from JavaScript, and are protected against cross-origin requests.

nitya added 7 commits October 14, 2025 04:01

updated / README

6069b79

restore missing files - Fixes #8

cd6cace

Merge pull request #9 from nitya/main

425c597

refresh README, Fix #8

added / scripts to setup azd

a86950b

added / customized base template

fb4ac38

Merge pull request #10 from nitya/main

1f9d075

added custom template

github-advanced-security bot found potential problems Oct 14, 2025

View reviewed changes

nitya merged commit aa3bacf into msignite25-prel13 Oct 14, 2025
7 checks passed

@@ -268,8 +268,8 @@
                     response = JSONResponse(content=content)
                     # Update cookies to persist the thread and agent IDs.
-                    response.set_cookie("thread_id", thread_id)
-                    response.set_cookie("agent_id", agent_id)
+                    response.set_cookie("thread_id", thread_id, secure=True, httponly=True, samesite='Strict')
+                    response.set_cookie("agent_id", agent_id, secure=True, httponly=True, samesite='Strict')
                     return response
                 except Exception as e:
                     logger.error(f"Error listing message: {e}")

@@ -268,8 +268,8 @@
                     response = JSONResponse(content=content)
                     # Update cookies to persist the thread and agent IDs.
-                    response.set_cookie("thread_id", thread_id)
-                    response.set_cookie("agent_id", agent_id)
+                    response.set_cookie("thread_id", thread_id, secure=True, httponly=True, samesite='Lax')
+                    response.set_cookie("agent_id", agent_id, secure=True, httponly=True, samesite='Lax')
                     return response
                 except Exception as e:
                     logger.error(f"Error listing message: {e}")

@@ -220,7 +220,7 @@
                                     logger.debug("Event received but no data to yield")
                     except Exception as e:
                         logger.exception(f"Exception in get_result: {e}")
-                        yield serialize_sse_event({'type': "error", 'message': str(e)})
+                        yield serialize_sse_event({'type': "error", 'message': "An internal error has occurred."})
             @router.get("/chat/history")

@@ -346,8 +346,8 @@
                     response = StreamingResponse(get_result(request, thread_id, agent_id, ai_project, app_insights_conn_str, carrier), headers=headers)
                     # Update cookies to persist the thread and agent IDs.
-                    response.set_cookie("thread_id", thread_id)
-                    response.set_cookie("agent_id", agent_id)
+                    response.set_cookie("thread_id", thread_id, secure=True, httponly=True, samesite='Lax')
+                    response.set_cookie("agent_id", agent_id, secure=True, httponly=True, samesite='Lax')
                     return response
             def read_file(path: str) -> str:

@@ -346,8 +346,8 @@
                     response = StreamingResponse(get_result(request, thread_id, agent_id, ai_project, app_insights_conn_str, carrier), headers=headers)
                     # Update cookies to persist the thread and agent IDs.
-                    response.set_cookie("thread_id", thread_id)
-                    response.set_cookie("agent_id", agent_id)
+                    response.set_cookie("thread_id", thread_id, secure=True, httponly=True, samesite='Strict')
+                    response.set_cookie("agent_id", agent_id, secure=True, httponly=True, samesite='Strict')
                     return response
             def read_file(path: str) -> str:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sync with main #13

Sync with main #13

Uh oh!

nitya commented Oct 14, 2025

Uh oh!

github-advanced-security bot commented Oct 14, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Sync with main #13

Sync with main #13

Uh oh!

Conversation

nitya commented Oct 14, 2025

Uh oh!

github-advanced-security bot commented Oct 14, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants