Merge pull request #727 from umayangag/html-encoding

fix improper input value issue #646
ECLK · Jul 22, 2020 · 4c17a29 · 4c17a29
2 parents 5b515a4 + c6954d6
commit 4c17a29
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,5 @@ __pycache__/
 *.pyc
 _site
 .sass-cache
-*.DS_Store
+*.DS_Store
+venv
diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py
@@ -5,13 +5,14 @@
 from app import db
 from auth import authorize
 from constants.AUTH_CONSTANTS import ALL_ROLES
-from exception import NotFoundException
-from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND
+from exception import NotFoundException, InvalidInputException
+from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \
+    MESSAGE_CODE_INVALID_INPUT
 from ext.ExtendedTallySheet import ExtendedTallySheet
 from orm.entities.Submission import TallySheet
 from orm.entities.SubmissionVersion import TallySheetVersion
 from schemas import TallySheetVersionSchema, TallySheetSchema_1
-from util import get_paginated_query, RequestBody
+from util import get_paginated_query, RequestBody, input_is_valid
 
 
 def get_all(tallySheetId):
@@ -165,6 +166,14 @@ def get_by_id(tallySheetId, tallySheetVersionId):
 def create(tallySheetId, body):
     request_body = RequestBody(body)
     tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId)
+
+    # validate user inputs to prevent XSS attacks
+    if not input_is_valid(request_body.get("content")):
+        raise InvalidInputException(
+            message="Invalid input detected. Use of disallowed characters/invalid input length detected",
+            code=MESSAGE_CODE_INVALID_INPUT
+        )
+
     if tally_sheet is None:
         raise NotFoundException(
             message="Tally sheet not found (tallySheetId=%d)" % tallySheetId,

diff --git a/results-tabulation-api/exception/__init__.py b/results-tabulation-api/exception/__init__.py
@@ -23,3 +23,7 @@ def InternalServerErrorException(message="", code=None):
 
 def NotImplementedException(message="", code=None):
     raise ProblemException(501, "Not Implemented", message, "NotImplemented", code)
+
+
+def InvalidInputException(message="", code=None):
+    raise ProblemException(400, "Invalid Input", message, "Forbidden", code)
diff --git a/results-tabulation-api/exception/messages.py b/results-tabulation-api/exception/messages.py
@@ -34,6 +34,7 @@
 MESSAGE_CODE_TALLY_SHEET_NOT_ALLOWED_TO_BE_NOTIFIED = 4006
 MESSAGE_CODE_TALLY_SHEET_NOT_ALLOWED_TO_BE_RELEASED = 4007
 MESSAGE_CODE_TALLY_SHEET_CANNOT_BE_UNLOCKED_WHILE_HAVING_VERIFIED_PARENT_SUMMARY_SHEETS = 4008
+MESSAGE_CODE_INVALID_INPUT = 4009
 
 # Internal server error
 MESSAGE_CODE_PDF_SERVICE_FETCH_FAILED = 5000

diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py
@@ -156,3 +156,14 @@ def get_sum_of_all_and_nan_otherwise(array):
             result += val
 
     return result
+
+
+def input_is_valid(content_array):
+    invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"]
+    for array_item in content_array:
+        for value in array_item:
+            text_value = str(array_item[value])
+            for char in invalid_strings:
+                if char in text_value or len(text_value) > 500:
+                    return False
+    return True
diff --git a/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js b/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js
@@ -82,12 +82,12 @@ export function useTallySheetEdit(props) {
         const body = getTallySheetRequestBody();
 
         if (validateTallySheetContent()) {
-            setSaved(true);
             setProcessing(true);
             setProcessingLabel("Saving");
             try {
                 const tallySheet = await tallySheetContext.saveTallySheetVersion(tallySheetId, tallySheetCode, body);
                 setTallySheetVersion(tallySheet.latestVersion);
+                setSaved(true);
             } catch (e) {
                 const errorCode = getErrorCode(e);
                 messagesContext.push({

diff --git a/results-tabulation-ui/src/locale/messages_en.js b/results-tabulation-ui/src/locale/messages_en.js
@@ -54,6 +54,6 @@ export const API_MESSAGES_EN = {
     4005: "Workflow action is now allowed.",
     4006: "Tally sheet is not allowed to be notified.",
     4007: "Tally sheet is not allowed to be release.",
-    4008: "Cannot request changes since the data from this report has been already aggregated in verified summary reports."
-
+    4008: "Cannot request changes since the data from this report has been already aggregated in verified summary reports.",
+    4009: "Invalid characters used. Please check your inputs"
 }