All of lore.kernel.org
 help / color / mirror / Atom feed
* [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
@ 2021-03-22 17:56 Richard Purdie
  2021-03-23  4:25 ` [yocto] " Khem Raj
  2021-03-23 22:30 ` Yi Fan Yu
  0 siblings, 2 replies; 3+ messages in thread
From: Richard Purdie @ 2021-03-22 17:56 UTC (permalink / raw)
  To: yocto

Instead of searching for "<", use bleach to sanity input to avoid
any XSS issues.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 Post/parser.py | 26 +++++++++-----------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/Post/parser.py b/Post/parser.py
index f411e02..536e872 100644
--- a/Post/parser.py
+++ b/Post/parser.py
@@ -9,6 +9,7 @@
 # Licensed under the MIT license, see COPYING.MIT for details
 
 import json, re
+import bleach
 from Post.models import Build, BuildFailure, ErrorType
 from django.conf import settings
 from django.utils import timezone
@@ -19,21 +20,6 @@ class Parser:
     def __init__(self, data):
         self.data = data.decode('utf-8')
 
-    # returns true if the values contain '<' char
-    # Ignore the failures field (which is an array anyway)
-    # Ignore any non-str fields too [YOCTO #14208]
-    def contains_tags (self, data):
-        for key,val in data.items():
-            if key == 'failures':
-                continue
-            
-            if not isinstance(val, str):
-                continue
-
-            if '<' in val:
-                return True
-        return False
-
     def parse(self, request):
         build_fails_logged = []
 
@@ -42,8 +28,14 @@ class Parser:
         except:
              return  { 'error' : 'Invalid json' }
 
-        if self.contains_tags(jsondata) == True:
-            return  { 'error' : 'Invalid characters in json' }
+        # Bleach data going directly into the database so that
+        # displaying in any of the graphing doesn't introduce XSS
+        for key,val in jsondata.items():
+            if key == 'failures':
+                continue
+            if not isinstance(val, str):
+                continue
+            jsondata[key] = bleach.clean(val)
 
         b = Build.objects.create()
         try:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
  2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
@ 2021-03-23  4:25 ` Khem Raj
  2021-03-23 22:30 ` Yi Fan Yu
  1 sibling, 0 replies; 3+ messages in thread
From: Khem Raj @ 2021-03-23  4:25 UTC (permalink / raw)
  To: yocto



On 3/22/21 10:56 AM, Richard Purdie wrote:
> Instead of searching for "<", use bleach to sanity input to avoid
> any XSS issues.
> 

I will be able to test it. once its installed

> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
>   Post/parser.py | 26 +++++++++-----------------
>   1 file changed, 9 insertions(+), 17 deletions(-)
> 
> diff --git a/Post/parser.py b/Post/parser.py
> index f411e02..536e872 100644
> --- a/Post/parser.py
> +++ b/Post/parser.py
> @@ -9,6 +9,7 @@
>   # Licensed under the MIT license, see COPYING.MIT for details
>   
>   import json, re
> +import bleach
>   from Post.models import Build, BuildFailure, ErrorType
>   from django.conf import settings
>   from django.utils import timezone
> @@ -19,21 +20,6 @@ class Parser:
>       def __init__(self, data):
>           self.data = data.decode('utf-8')
>   
> -    # returns true if the values contain '<' char
> -    # Ignore the failures field (which is an array anyway)
> -    # Ignore any non-str fields too [YOCTO #14208]
> -    def contains_tags (self, data):
> -        for key,val in data.items():
> -            if key == 'failures':
> -                continue
> -
> -            if not isinstance(val, str):
> -                continue
> -
> -            if '<' in val:
> -                return True
> -        return False
> -
>       def parse(self, request):
>           build_fails_logged = []
>   
> @@ -42,8 +28,14 @@ class Parser:
>           except:
>                return  { 'error' : 'Invalid json' }
>   
> -        if self.contains_tags(jsondata) == True:
> -            return  { 'error' : 'Invalid characters in json' }
> +        # Bleach data going directly into the database so that
> +        # displaying in any of the graphing doesn't introduce XSS
> +        for key,val in jsondata.items():
> +            if key == 'failures':
> +                continue
> +            if not isinstance(val, str):
> +                continue
> +            jsondata[key] = bleach.clean(val)
>   
>           b = Build.objects.create()
>           try:
> 
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
  2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
  2021-03-23  4:25 ` [yocto] " Khem Raj
@ 2021-03-23 22:30 ` Yi Fan Yu
  1 sibling, 0 replies; 3+ messages in thread
From: Yi Fan Yu @ 2021-03-23 22:30 UTC (permalink / raw)
  To: Richard Purdie, yocto

On 3/22/21 1:56 PM, Richard Purdie wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
> 
> Instead of searching for "<", use bleach to sanity input to avoid
> any XSS issues.
> 
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
>   Post/parser.py | 26 +++++++++-----------------
>   1 file changed, 9 insertions(+), 17 deletions(-)
> 
> diff --git a/Post/parser.py b/Post/parser.py
> index f411e02..536e872 100644
> --- a/Post/parser.py
> +++ b/Post/parser.py
> @@ -9,6 +9,7 @@
>   # Licensed under the MIT license, see COPYING.MIT for details
> 
>   import json, re
> +import bleach

would need to add that to `requirements.txt`
i tested it quickly and it gave me bleach not found

>   from Post.models import Build, BuildFailure, ErrorType
>   from django.conf import settings
>   from django.utils import timezone
> @@ -19,21 +20,6 @@ class Parser:
>       def __init__(self, data):
>           self.data = data.decode('utf-8')
> 
> -    # returns true if the values contain '<' char
> -    # Ignore the failures field (which is an array anyway)
> -    # Ignore any non-str fields too [YOCTO #14208]
> -    def contains_tags (self, data):
> -        for key,val in data.items():
> -            if key == 'failures':
> -                continue
> -
> -            if not isinstance(val, str):
> -                continue
> -
> -            if '<' in val:
> -                return True
> -        return False
> -
>       def parse(self, request):
>           build_fails_logged = []
> 
> @@ -42,8 +28,14 @@ class Parser:
>           except:
>                return  { 'error' : 'Invalid json' }
> 
> -        if self.contains_tags(jsondata) == True:
> -            return  { 'error' : 'Invalid characters in json' }
> +        # Bleach data going directly into the database so that
> +        # displaying in any of the graphing doesn't introduce XSS
> +        for key,val in jsondata.items():
> +            if key == 'failures':
> +                continue
> +            if not isinstance(val, str):
> +                continue
> +            jsondata[key] = bleach.clean(val)
> 
would it make more sense to bleach/sanitize the raw data before it got 
parsed into a json object so even 'failures' wouldn't contain any injection

>           b = Build.objects.create()
>           try:
> --
> 2.30.2
> 
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-23 22:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
2021-03-23  4:25 ` [yocto] " Khem Raj
2021-03-23 22:30 ` Yi Fan Yu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.