Instead of searching for "<", use bleach to sanity input to avoid any XSS issues.
Signed-off-by: Richard Purdie <[email protected]> --- Post/parser.py | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/Post/parser.py b/Post/parser.py index f411e02..536e872 100644 --- a/Post/parser.py +++ b/Post/parser.py @@ -9,6 +9,7 @@ # Licensed under the MIT license, see COPYING.MIT for details import json, re +import bleach from Post.models import Build, BuildFailure, ErrorType from django.conf import settings from django.utils import timezone @@ -19,21 +20,6 @@ class Parser: def __init__(self, data): self.data = data.decode('utf-8') - # returns true if the values contain '<' char - # Ignore the failures field (which is an array anyway) - # Ignore any non-str fields too [YOCTO #14208] - def contains_tags (self, data): - for key,val in data.items(): - if key == 'failures': - continue - - if not isinstance(val, str): - continue - - if '<' in val: - return True - return False - def parse(self, request): build_fails_logged = [] @@ -42,8 +28,14 @@ class Parser: except: return { 'error' : 'Invalid json' } - if self.contains_tags(jsondata) == True: - return { 'error' : 'Invalid characters in json' } + # Bleach data going directly into the database so that + # displaying in any of the graphing doesn't introduce XSS + for key,val in jsondata.items(): + if key == 'failures': + continue + if not isinstance(val, str): + continue + jsondata[key] = bleach.clean(val) b = Build.objects.create() try: -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#52799): https://lists.yoctoproject.org/g/yocto/message/52799 Mute This Topic: https://lists.yoctoproject.org/mt/81531586/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
