Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input

Yi Fan Yu Tue, 23 Mar 2021 15:31:25 -0700

On 3/22/21 1:56 PM, Richard Purdie wrote:

[Please note: This e-mail is from an EXTERNAL e-mail address]


Instead of searching for "<", use bleach to sanity input to avoid
any XSS issues.

Signed-off-by: Richard Purdie <[email protected]>
---
  Post/parser.py | 26 +++++++++-----------------
  1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/Post/parser.py b/Post/parser.py
index f411e02..536e872 100644
--- a/Post/parser.py
+++ b/Post/parser.py
@@ -9,6 +9,7 @@
  # Licensed under the MIT license, see COPYING.MIT for details

  import json, re
+import bleach


would need to add that to `requirements.txt`
i tested it quickly and it gave me bleach not found

  from Post.models import Build, BuildFailure, ErrorType
  from django.conf import settings
  from django.utils import timezone
@@ -19,21 +20,6 @@ class Parser:
      def __init__(self, data):
          self.data = data.decode('utf-8')

-    # returns true if the values contain '<' char
-    # Ignore the failures field (which is an array anyway)
-    # Ignore any non-str fields too [YOCTO #14208]
-    def contains_tags (self, data):
-        for key,val in data.items():
-            if key == 'failures':
-                continue
-
-            if not isinstance(val, str):
-                continue
-
-            if '<' in val:
-                return True
-        return False
-
      def parse(self, request):
          build_fails_logged = []

@@ -42,8 +28,14 @@ class Parser:
          except:
               return  { 'error' : 'Invalid json' }

-        if self.contains_tags(jsondata) == True:
-            return  { 'error' : 'Invalid characters in json' }
+        # Bleach data going directly into the database so that
+        # displaying in any of the graphing doesn't introduce XSS
+        for key,val in jsondata.items():
+            if key == 'failures':
+                continue
+            if not isinstance(val, str):
+                continue
+            jsondata[key] = bleach.clean(val)

would it make more sense to bleach/sanitize the raw data before it gotparsed into a json object so even 'failures' wouldn't contain any injection

          b = Build.objects.create()
          try:
--
2.30.2

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#52828): https://lists.yoctoproject.org/g/yocto/message/52828
Mute This Topic: https://lists.yoctoproject.org/mt/81531586/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [error-report-web] [PATCH] Post/parser: Use bleach to sanitse XSS input

Reply via email to