Fix issues (cont.)

Author: Cybonto

app/utils/monitoring.py

@@ -184,10 +184,10 @@ async def get_system_metrics() -> Dict[str, Any]:
         }
 
     except Exception as e:
-        logger.error("Failed to get system metrics", error=str(e))
+        logger.error("Failed to get system metrics", error=str(e), exception_type=type(e).__name__)
         return {
             "timestamp": time.time(),
-            "error": str(e),
+            "metrics_error": True,
             "application": resource_usage.copy(),
         }
 
@@ -267,8 +267,8 @@ async def check_dependency_health(cache_ttl: int = 10) -> Dict[str, Any]:
             cache_healthy = False
 
         if isinstance(metrics, Exception):
-            logger.error("System metrics exception", error=str(metrics))
-            metrics = {"error": str(metrics)}
+            logger.error("System metrics exception", error=str(metrics), exception_type=type(metrics).__name__)
+            metrics = {"metrics_error": True}
 
         total_duration = time.time() - start_time
 
@@ -294,10 +294,10 @@ async def check_dependency_health(cache_ttl: int = 10) -> Dict[str, Any]:
         return result
 
     except Exception as e:
-        logger.error("Dependency health check failed", error=str(e))
+        logger.error("Dependency health check failed", error=str(e), exception_type=type(e).__name__, stack_info=True)
         return {
             "overall_healthy": False,
-            "error": str(e),
+            "metrics_error": True,
             "check_duration_seconds": time.time() - start_time,
         }
 

tests/unit/pre_audit/reporting/test_input_validator.py

@@ -68,6 +68,11 @@ def test_validate_string_blocks_xss_patterns(self, validator):
             "expression(alert('XSS'))",
             "vbscript:msgbox('XSS')",
             "data:text/html,<script>alert('XSS')</script>",
+            # Test malformed end tags that browsers accept (CodeQL py/bad-tag-filter fix)
+            "<script>alert('XSS')</script foo='bar'>",  # Malformed end tag with attributes
+            "<script>alert('XSS')</script\tfoo>",  # Malformed with tab and attribute
+            "<script>alert('XSS')</script\nbar>",  # Malformed with newline
+            "<style>body{background:url(evil.com)}</style attr='test'>",  # Malformed style end tag
         ]
 
         for pattern in xss_patterns:

tests/unit/utils/test_monitoring.py

@@ -207,9 +207,9 @@ async def test_get_system_metrics_exception(self) -> None:
             metrics = await get_system_metrics()
 
             assert "timestamp" in metrics
-            assert "error" in metrics
+            assert "metrics_error" in metrics
             assert "application" in metrics
-            assert metrics["error"] == "psutil error"
+            assert metrics["metrics_error"] is True  # Generic error indicator, no detail exposure
 
 
 class TestConnectionCounting:

tools/pre_audit/reporting/security/input_validator.py

@@ -42,15 +42,16 @@ class InputValidator:
     # Dangerous patterns to block - comprehensive security patterns
     DANGEROUS_PATTERNS = [
         # Block script tags with comprehensive patterns to prevent XSS
-        re.compile(r"<\s*script[^>]*>.*?<\s*/\s*script\s*>", re.IGNORECASE | re.DOTALL),
+        # Fixed: Handle malformed end tags that browsers accept
+        re.compile(r"<\s*script[^>]*>.*?<\s*/\s*script[^>]*>", re.IGNORECASE | re.DOTALL),
         re.compile(r"<\s*script[^>]*>", re.IGNORECASE),
-        re.compile(r"</\s*script\s*>", re.IGNORECASE),
+        re.compile(r"</\s*script[^>]*>", re.IGNORECASE),  # Handles </script foo="bar">
         # Block other dangerous tags
         re.compile(r"<\s*iframe[^>]*>", re.IGNORECASE),
         re.compile(r"<\s*object[^>]*>", re.IGNORECASE),
         re.compile(r"<\s*embed[^>]*>", re.IGNORECASE),
         re.compile(r"<\s*link[^>]*>", re.IGNORECASE),
-        re.compile(r"<\s*style[^>]*>.*?</\s*style\s*>", re.IGNORECASE | re.DOTALL),
+        re.compile(r"<\s*style[^>]*>.*?</\s*style[^>]*>", re.IGNORECASE | re.DOTALL),  # Also fix style tag
         # Block protocol handlers and event handlers
         re.compile(r"javascript:", re.IGNORECASE),
         re.compile(r"on\w+\s*=", re.IGNORECASE),  # onclick, onerror, etc.