search

lincolnloop / django-dynamic-raw-id

(formerly known as django-salmonella) A raw_id_fields widget replacement that handles display of an object's string value on change and can be overridden via a template.
MIT License
163 stars 55 forks source link

Cross Site Scripting Vulnerability #99

Closed aydinnyunus closed 7 months ago

aydinnyunus commented 7 months ago

Description:

The code snippet provided is from a Django application where the dynamic_raw_id view attempts to retrieve a model dynamically based on the provided app_name and model_name parameters. If the model does not exist, it returns a 400 Bad Request response with an optional error message.

https://github.com/lincolnloop/django-dynamic-raw-id/blob/main/dynamic_raw_id/views.py#L41

Impact:

This code is vulnerable to a Cross-Site Scripting (XSS) attack due to the potential injection of user-controlled data into the error message. Specifically, if an attacker provides a malicious app_name or model_name, they could craft a payload that, when executed in the context of an HTML page, could lead to the execution of arbitrary JavaScript code.

bartTC commented 7 months ago

Good catch, thank you.

bartTC commented 7 months ago

This is not an issue, the app and model name are pre-filtered to be a slug. Malicious strings would not reach the code you've hinted above. https://github.com/lincolnloop/django-dynamic-raw-id/blob/main/dynamic_raw_id/urls.py#L9

I've simplified that error message nonetheless.

aydinnyunus commented 7 months ago

Hi,

I saw the app_name but I did not find the model_name is predefined so I created the issue. Thanks for the quick fix.