search

appsembler / xblock-grade-fetcher

Grade Fetcher XBlock
MIT License
2 stars 1 forks source link

use safe tools for building query parameters #16

Closed OmarIthawi closed 2 years ago

OmarIthawi commented 2 years ago 
if self.activity_identifier_parameter:
    get_query_string += "&" + self.activity_identifier_parameter
if self.activity_identifier:
    get_query_string += "=" + self.activity_identifier
if self.extra_params:
    get_query_string += "&" + self.extra_params
grader_response = requests.get(
    self.grader_endpoint + get_query_string, headers=grader_headers
)

is unsafe and could lead to security issues

safer alternatives should be used like:

extra_params can be unsafe as well and may use some validation

query_params = []
if self.activity_identifier_parameter and self.activity_identifier:
    query_params.append(tuple(self.activity_identifier_parameter, self.activity_identifier))

if self.extra_params:
    query_params += parse_qs(extra_params, strict_parsing=True)

response = requests.get('https://httpbin.org/get', params=query_params)
amirtds commented 2 years ago

Thanks @OmarIthawi I created PR #21 to cover this issue