asf-tooling opened a new issue, #1014:
URL: https://github.com/apache/tooling-trusted-releases/issues/1014
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `flash_error_summary()` function in `atr/form.py` constructs HTML error
messages from Pydantic validation errors and wraps them with
`markupsafe.Markup()`, which bypasses Jinja2's auto-escaping. When custom
validators like `to_enum()` include user input in error messages, this creates
a reflected XSS vulnerability. User input flows through validation error
messages without HTML escaping before being inserted into HTML via f-strings,
then wrapped with Markup() to bypass template auto-escaping.
### Details
Affected locations:
- `atr/form.py` lines 145-155: flash_error_summary() constructs HTML without
escaping
- `atr/form.py` to_enum() function: Reflects user input in error messages
- `atr/templates/macros/flash.html`: Renders unescaped content
The function builds HTML error lists using f-strings with unescaped
field_label and msg values, then wraps with Markup() to bypass Jinja2
auto-escaping.
### Recommended Remediation
Use `markupsafe.escape()` to escape both `field_label` and `msg` before HTML
insertion in `flash_error_summary()`:
```python
import markupsafe
def flash_error_summary(errors):
parts = ["<ul>"]
for error in errors:
safe_label = markupsafe.escape(field_label)
safe_msg = markupsafe.escape(msg)
parts.append(f"<li><strong>{safe_label}</strong>: {safe_msg}</li>")
parts.append("</ul>")
return markupsafe.Markup("".join(parts))
```
Also audit all custom Pydantic validators for user input reflection in error
messages.
### Acceptance Criteria
- [ ] Error messages are HTML-escaped before rendering
- [ ] XSS via validation error messages is prevented
- [ ] Custom validators don't reflect unescaped user input
- [ ] Test cases verify escaping
- [ ] Unit test verifying the fix
### References
- Source reports: L1:3.2.2.md
- Related findings: FINDING-109
- ASVS sections: 3.2.2
### Priority
Medium
---
---
**Triage notes:** audit_guidance "text values given to htm are safe by
construction"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
