* [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
@ 2021-03-22 17:56 Richard Purdie
2021-03-23 4:25 ` [yocto] " Khem Raj
2021-03-23 22:30 ` Yi Fan Yu
0 siblings, 2 replies; 3+ messages in thread
From: Richard Purdie @ 2021-03-22 17:56 UTC (permalink / raw)
To: yocto
Instead of searching for "<", use bleach to sanity input to avoid
any XSS issues.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
Post/parser.py | 26 +++++++++-----------------
1 file changed, 9 insertions(+), 17 deletions(-)
diff --git a/Post/parser.py b/Post/parser.py
index f411e02..536e872 100644
--- a/Post/parser.py
+++ b/Post/parser.py
@@ -9,6 +9,7 @@
# Licensed under the MIT license, see COPYING.MIT for details
import json, re
+import bleach
from Post.models import Build, BuildFailure, ErrorType
from django.conf import settings
from django.utils import timezone
@@ -19,21 +20,6 @@ class Parser:
def __init__(self, data):
self.data = data.decode('utf-8')
- # returns true if the values contain '<' char
- # Ignore the failures field (which is an array anyway)
- # Ignore any non-str fields too [YOCTO #14208]
- def contains_tags (self, data):
- for key,val in data.items():
- if key == 'failures':
- continue
-
- if not isinstance(val, str):
- continue
-
- if '<' in val:
- return True
- return False
-
def parse(self, request):
build_fails_logged = []
@@ -42,8 +28,14 @@ class Parser:
except:
return { 'error' : 'Invalid json' }
- if self.contains_tags(jsondata) == True:
- return { 'error' : 'Invalid characters in json' }
+ # Bleach data going directly into the database so that
+ # displaying in any of the graphing doesn't introduce XSS
+ for key,val in jsondata.items():
+ if key == 'failures':
+ continue
+ if not isinstance(val, str):
+ continue
+ jsondata[key] = bleach.clean(val)
b = Build.objects.create()
try:
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
@ 2021-03-23 4:25 ` Khem Raj
2021-03-23 22:30 ` Yi Fan Yu
1 sibling, 0 replies; 3+ messages in thread
From: Khem Raj @ 2021-03-23 4:25 UTC (permalink / raw)
To: yocto
On 3/22/21 10:56 AM, Richard Purdie wrote:
> Instead of searching for "<", use bleach to sanity input to avoid
> any XSS issues.
>
I will be able to test it. once its installed
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
> Post/parser.py | 26 +++++++++-----------------
> 1 file changed, 9 insertions(+), 17 deletions(-)
>
> diff --git a/Post/parser.py b/Post/parser.py
> index f411e02..536e872 100644
> --- a/Post/parser.py
> +++ b/Post/parser.py
> @@ -9,6 +9,7 @@
> # Licensed under the MIT license, see COPYING.MIT for details
>
> import json, re
> +import bleach
> from Post.models import Build, BuildFailure, ErrorType
> from django.conf import settings
> from django.utils import timezone
> @@ -19,21 +20,6 @@ class Parser:
> def __init__(self, data):
> self.data = data.decode('utf-8')
>
> - # returns true if the values contain '<' char
> - # Ignore the failures field (which is an array anyway)
> - # Ignore any non-str fields too [YOCTO #14208]
> - def contains_tags (self, data):
> - for key,val in data.items():
> - if key == 'failures':
> - continue
> -
> - if not isinstance(val, str):
> - continue
> -
> - if '<' in val:
> - return True
> - return False
> -
> def parse(self, request):
> build_fails_logged = []
>
> @@ -42,8 +28,14 @@ class Parser:
> except:
> return { 'error' : 'Invalid json' }
>
> - if self.contains_tags(jsondata) == True:
> - return { 'error' : 'Invalid characters in json' }
> + # Bleach data going directly into the database so that
> + # displaying in any of the graphing doesn't introduce XSS
> + for key,val in jsondata.items():
> + if key == 'failures':
> + continue
> + if not isinstance(val, str):
> + continue
> + jsondata[key] = bleach.clean(val)
>
> b = Build.objects.create()
> try:
>
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input
2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
2021-03-23 4:25 ` [yocto] " Khem Raj
@ 2021-03-23 22:30 ` Yi Fan Yu
1 sibling, 0 replies; 3+ messages in thread
From: Yi Fan Yu @ 2021-03-23 22:30 UTC (permalink / raw)
To: Richard Purdie, yocto
On 3/22/21 1:56 PM, Richard Purdie wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> Instead of searching for "<", use bleach to sanity input to avoid
> any XSS issues.
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
> Post/parser.py | 26 +++++++++-----------------
> 1 file changed, 9 insertions(+), 17 deletions(-)
>
> diff --git a/Post/parser.py b/Post/parser.py
> index f411e02..536e872 100644
> --- a/Post/parser.py
> +++ b/Post/parser.py
> @@ -9,6 +9,7 @@
> # Licensed under the MIT license, see COPYING.MIT for details
>
> import json, re
> +import bleach
would need to add that to `requirements.txt`
i tested it quickly and it gave me bleach not found
> from Post.models import Build, BuildFailure, ErrorType
> from django.conf import settings
> from django.utils import timezone
> @@ -19,21 +20,6 @@ class Parser:
> def __init__(self, data):
> self.data = data.decode('utf-8')
>
> - # returns true if the values contain '<' char
> - # Ignore the failures field (which is an array anyway)
> - # Ignore any non-str fields too [YOCTO #14208]
> - def contains_tags (self, data):
> - for key,val in data.items():
> - if key == 'failures':
> - continue
> -
> - if not isinstance(val, str):
> - continue
> -
> - if '<' in val:
> - return True
> - return False
> -
> def parse(self, request):
> build_fails_logged = []
>
> @@ -42,8 +28,14 @@ class Parser:
> except:
> return { 'error' : 'Invalid json' }
>
> - if self.contains_tags(jsondata) == True:
> - return { 'error' : 'Invalid characters in json' }
> + # Bleach data going directly into the database so that
> + # displaying in any of the graphing doesn't introduce XSS
> + for key,val in jsondata.items():
> + if key == 'failures':
> + continue
> + if not isinstance(val, str):
> + continue
> + jsondata[key] = bleach.clean(val)
>
would it make more sense to bleach/sanitize the raw data before it got
parsed into a json object so even 'failures' wouldn't contain any injection
> b = Build.objects.create()
> try:
> --
> 2.30.2
>
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-23 22:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 17:56 [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input Richard Purdie
2021-03-23 4:25 ` [yocto] " Khem Raj
2021-03-23 22:30 ` Yi Fan Yu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.