search

CSGY-9223-Group3 / lab1

MIT License
0 stars 0 forks source link

Lack of Input Validation in Note Creation #8

Closed dr3394 closed 1 week ago

dr3394 commented 2 weeks ago

There is no input validation or sanitization when creating or updating a note (create_note, update_note). This opens up the application to potential injection attacks, such as Cross-Site Scripting (XSS) or even command injection in the future.

Use input validation and sanitization libraries to filter out or encode potentially harmful input. For Flask, libraries like bleach can be used to sanitize user input.

jjl9839 commented 2 weeks ago

@CSGY-9223-Group3/engineering & @CSGY-9223-Group3/security Bleach is deprecated, https://github.com/mozilla/bleach/issues/698. Please use a different HTML sanitization library such as https://github.com/matthiask/html-sanitizer/

esamnyu commented 1 week ago

Thank you @dr3394 for raising this important security concern, and @jjl9839 for the updated recommendation on the sanitization library.

We have addressed this issue by implementing input sanitization for both note creation and updates. Here are the changes we've made:

  1. We've added the html-sanitizer library as recommended, which is actively maintained and suitable for our needs.

  2. We've updated both the create_note and update_note functions to sanitize user input before storing or updating note content.

  3. The sanitization process helps prevent potential XSS attacks and other injection vulnerabilities by removing potentially harmful HTML elements and attributes while preserving safe content.

Here's a snippet of the implemented changes:


from html_sanitizer import Sanitizer

sanitizer = Sanitizer()

def create_note(note_id, user, data, is_public):
    sanitized_data = sanitizer.sanitize(data)
    notes[note_id] = {"text": sanitized_data, "author": user, "isPublic": is_public}
    # ... rest of the function

def update_note(note_id, user, data):
    if can_user_modify(user, note_id):
        sanitized_data = sanitizer.sanitize(data)
        notes[note_id]["text"] = sanitized_data
        # ... rest of the function
dr3394 commented 1 week ago

Adjusted to make it a function:

def sanitize_input(data):
    """Sanitize user input to prevent XSS."""
    return sanitizer.sanitize(data)