search

1modm / petereport

PeTeReport is an open-source application vulnerability reporting tool.
https://1modm.github.io/petereport/
BSD 3-Clause "New" or "Revised" License
449 stars 131 forks source link

Invalid filter: 'bleach' causing Internal Error 500 on TemplateSyntaxError at /cwe/list/ and /finding/open/ #48

Closed eMVee-NL closed 2 years ago

eMVee-NL commented 2 years ago

While running a brand new fresh installation of peterport version 0.9 (docker installation) I was navigating and preparing the application for testing and possible an exam where I have to write a report... But then I noticed the two pages responding with an http status 500 caused by a syntax thingy in bleach...

Updated the issue because I had another location which was giving the same error.

Locations:

  1. /finding/closed/
  2. /finding/open/
  3. /cwe/list/

I've turned the debug modus on (true) and copied the error into this issue

Environment:

Request Method: GET
Request URL: http://127.0.0.1/finding/open/

Django Version: 3.2.5
Python Version: 3.8.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'martor',
 'django_bleach',
 'preport']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']

Template error:
In template /opt/petereport/app/preport/templates/findings/findings_list.html, error at line 67
   Invalid filter: 'bleach'
   57 :                             <th style="width: 5%">CVSS</th>
   58 :                             <th style="width: 20%">Report</th>
   59 :                             <th style="width: 25%" class="text-center"> Actions</th>
   60 :                           </tr>
   61 :                         </thead>
   62 : 
   63 :                         <tbody>
   64 :                           {% for finding in DB_finding_query %}
   65 :                           <tr>
   66 :                                   <td>
   67 :                                        {{ finding.title  | bleach }} 
   68 :                                   </td>
   69 : 
   70 :                                   <td>
   71 :                                                                       
   72 :                                         {% if finding.severity == "Critical" %}
   73 :                                             <b><font color="#CC0000">{{ finding.severity }}</font></b>
   74 :                                         {% elif finding.severity == "High" %}
   75 :                                             <b><font color="#F20000">{{ finding.severity }}</font></b>
   76 :                                         {% elif finding.severity == "Medium" %}
   77 :                                             <b><font color="#FC7F03">{{ finding.severity }}</font></b>

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/dist-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/opt/petereport/app/preport/views.py", line 1088, in openfindings
    return render(request, 'findings/findings_list.html', {'DB_finding_query': DB_finding_query, 'count_finding_query': count_finding_query})
  File "/usr/local/lib/python3.8/dist-packages/django/shortcuts.py", line 19, in render
    content = loader.render_to_string(template_name, context, request, using=using)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader.py", line 61, in render_to_string
    template = get_template(template_name, using=using)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader.py", line 15, in get_template
    return engine.get_template(template_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/backends/django.py", line 34, in get_template
    return Template(self.engine.get_template(template_name), self)
  File "/usr/local/lib/python3.8/dist-packages/django/template/engine.py", line 143, in get_template
    template, origin = self.find_template(template_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/engine.py", line 125, in find_template
    template = loader.get_template(name, skip=skip)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loaders/base.py", line 29, in get_template
    return Template(
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 155, in __init__
    self.nodelist = self.compile_nodelist()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 193, in compile_nodelist
    return parser.parse()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader_tags.py", line 278, in do_extends
    nodelist = parser.parse()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader_tags.py", line 216, in do_block
    nodelist = parser.parse(('endblock',))
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/defaulttags.py", line 814, in do_for
    nodelist_loop = parser.parse(('empty', 'endfor',))
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 449, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 447, in parse
    filter_expression = self.compile_filter(token.contents)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 563, in compile_filter
    return FilterExpression(token, self)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 657, in __init__
    filter_func = parser.find_filter(filter_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 569, in find_filter
    raise TemplateSyntaxError("Invalid filter: '%s'" % filter_name)

Exception Type: TemplateSyntaxError at /finding/open/
Exception Value: Invalid filter: 'bleach'

And

Environment:

Request Method: GET
Request URL: http://127.0.0.1/cwe/list/

Django Version: 3.2.5
Python Version: 3.8.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'martor',
 'django_bleach',
 'preport']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']

Template error:
In template /opt/petereport/app/preport/templates/cwe/cwe_list.html, error at line 60
   Invalid filter: 'bleach'
   50 :                       </th>
   51 : 
   52 :                   </tr>
   53 :               </thead>
   54 :               <tbody>
   55 : 
   56 :                   {% for cwe in DB_cwe_query %}
   57 : 
   58 :                     <tr>
   59 :                       <td>
   60 :                         <a href="https://cwe.mitre.org/data/definitions/{{cwe.cwe_id}}.html" target=”_blank”> {{ cwe.cwe_id  | bleach}}  - {{ cwe.cwe_name  | bleach}}</a>
   61 :                       </td>
   62 :                       <td>
   63 :                         {{ cwe.cwe_description  | bleach}}
   64 :                       </td>
   65 : 
   66 : 
   67 :                     </tr>
   68 :                      
   69 :                   {% endfor %}
   70 : 

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/dist-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/opt/petereport/app/preport/views.py", line 1612, in cwe_list
    return render(request, 'cwe/cwe_list.html', {'DB_cwe_query': DB_cwe_query})
  File "/usr/local/lib/python3.8/dist-packages/django/shortcuts.py", line 19, in render
    content = loader.render_to_string(template_name, context, request, using=using)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader.py", line 61, in render_to_string
    template = get_template(template_name, using=using)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader.py", line 15, in get_template
    return engine.get_template(template_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/backends/django.py", line 34, in get_template
    return Template(self.engine.get_template(template_name), self)
  File "/usr/local/lib/python3.8/dist-packages/django/template/engine.py", line 143, in get_template
    template, origin = self.find_template(template_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/engine.py", line 125, in find_template
    template = loader.get_template(name, skip=skip)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loaders/base.py", line 29, in get_template
    return Template(
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 155, in __init__
    self.nodelist = self.compile_nodelist()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 193, in compile_nodelist
    return parser.parse()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader_tags.py", line 278, in do_extends
    nodelist = parser.parse()
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/loader_tags.py", line 216, in do_block
    nodelist = parser.parse(('endblock',))
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 478, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 476, in parse
    compiled_result = compile_func(self, token)
  File "/usr/local/lib/python3.8/dist-packages/django/template/defaulttags.py", line 814, in do_for
    nodelist_loop = parser.parse(('empty', 'endfor',))
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 449, in parse
    raise self.error(token, e)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 447, in parse
    filter_expression = self.compile_filter(token.contents)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 563, in compile_filter
    return FilterExpression(token, self)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 657, in __init__
    filter_func = parser.find_filter(filter_name)
  File "/usr/local/lib/python3.8/dist-packages/django/template/base.py", line 569, in find_filter
    raise TemplateSyntaxError("Invalid filter: '%s'" % filter_name)

Exception Type: TemplateSyntaxError at /cwe/list/
Exception Value: Invalid filter: 'bleach'
1modm commented 2 years ago

@mvdvaart my fault it seems I forgot to add the tag descriptor in that template file, until I upload a new version you can edit the file findings_list.html and edit the header adding {% load bleach_tags %}

{% extends 'home/template.html' %}

{% load bleach_tags %}

{% block title %} Findings {% endblock title %}

{% block stylesheets %}
  {{ block.super }}
{% endblock stylesheets %}

{% block content %}
...
1modm commented 2 years ago

Fixed in the last update