From 80e3c7354be7639ddda65add1cec71825feb1bb6 Mon Sep 17 00:00:00 2001
From: Andrew Pollock <apollock@google.com>
Date: Tue, 12 Nov 2024 10:54:31 +0000
Subject: [PATCH] fix(frontend): avoid CodeQL CWE-601

IMO the original code was validating the input, but this should make it
more explicit
---
 gcp/appengine/frontend_handlers.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gcp/appengine/frontend_handlers.py b/gcp/appengine/frontend_handlers.py
index 753cad7fed3..bb4c72ca6fa 100644
--- a/gcp/appengine/frontend_handlers.py
+++ b/gcp/appengine/frontend_handlers.py
@@ -273,9 +273,9 @@ def vulnerability_redirector(potential_vuln_id):
     return None
 
   # This may raise an exception directly or via abort() for failed retrievals.
-  _ = osv_get_by_id(potential_vuln_id)
+  bug = osv_get_by_id(potential_vuln_id)
 
-  return redirect(f'/vulnerability/{potential_vuln_id}')
+  return redirect(f'/vulnerability/{bug["id"]}')
 
 
 @blueprint.route('/<potential_vuln_id>.json')
@@ -289,13 +289,13 @@ def vulnerability_json_redirector(potential_vuln_id):
     return None
 
   # This calls abort() on failed retrievals.
-  _ = osv_get_by_id(potential_vuln_id)
+  bug = osv_get_by_id(potential_vuln_id)
 
   if utils.is_prod():
     api_url = 'api.osv.dev'
   else:
     api_url = 'api.test.osv.dev'
-  return redirect(f'https://{api_url}/v1/vulns/{potential_vuln_id}')
+  return redirect(f'https://{api_url}/v1/vulns/{bug["id"]}')
 
 
 def bug_to_response(bug, detailed=True):