Check that species in cookie are in a valid text format

wacl-york / mcm-web

Code for the MCM web application

1 stars 1 forks source link

Check that species in cookie are in a valid text format #234

Closed stulacy closed 7 months ago

stulacy commented 7 months ago

@kilicomu sanitize cookies when reading in species. The app may still fail a static check, but I think this removes any real risk. The next step would be to validate each species against the DB, but firing off constant server side requests could slow down the app.

kilicomu commented 7 months ago

I think this is along the right lines, but I'm not sure that the regexp-based sanitisation that you have in this PR is going to correctly guard against the vulnerability.

If there is a simple way to validate the marklist against valid species from the database, I think that's worth a go. Mostly just to eliminate the uncertainty.

stulacy commented 7 months ago

The validation is now performed in the DB against the existing species.

kilicomu commented 7 months ago

Cool! Let's run that against the scanner and see what happens.