From c6954d6ff14de6e46d1d9f7e656e97d08fe956e9 Mon Sep 17 00:00:00 2001 From: umayanga Date: Wed, 22 Jul 2020 01:24:15 +0530 Subject: [PATCH] fix improper input value issue #646 --- .gitignore | 3 ++- .../api/TallySheetVersionApi/__init__.py | 15 ++++++++++++--- results-tabulation-api/exception/__init__.py | 4 ++++ results-tabulation-api/exception/messages.py | 1 + results-tabulation-api/util/__init__.py | 11 +++++++++++ .../tally-sheet/tally-sheet-edit/index.js | 2 +- results-tabulation-ui/src/locale/messages_en.js | 4 ++-- 7 files changed, 33 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 041b6c4a..bebba752 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ __pycache__/ *.pyc _site .sass-cache -*.DS_Store \ No newline at end of file +*.DS_Store +venv \ No newline at end of file diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py index 93f6481d..ab6776b0 100644 --- a/results-tabulation-api/api/TallySheetVersionApi/__init__.py +++ b/results-tabulation-api/api/TallySheetVersionApi/__init__.py @@ -5,13 +5,14 @@ from app import db from auth import authorize from constants.AUTH_CONSTANTS import ALL_ROLES -from exception import NotFoundException -from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND +from exception import NotFoundException, InvalidInputException +from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \ + MESSAGE_CODE_INVALID_INPUT from ext.ExtendedTallySheet import ExtendedTallySheet from orm.entities.Submission import TallySheet from orm.entities.SubmissionVersion import TallySheetVersion from schemas import TallySheetVersionSchema, TallySheetSchema_1 -from util import get_paginated_query, RequestBody +from util import get_paginated_query, RequestBody, input_is_valid def get_all(tallySheetId): @@ -165,6 +166,14 @@ def get_by_id(tallySheetId, tallySheetVersionId): def create(tallySheetId, body): request_body = RequestBody(body) tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId) + + # validate user inputs to prevent XSS attacks + if not input_is_valid(request_body.get("content")): + raise InvalidInputException( + message="Invalid input detected. Use of disallowed characters/invalid input length detected", + code=MESSAGE_CODE_INVALID_INPUT + ) + if tally_sheet is None: raise NotFoundException( message="Tally sheet not found (tallySheetId=%d)" % tallySheetId, diff --git a/results-tabulation-api/exception/__init__.py b/results-tabulation-api/exception/__init__.py index 8b4feec0..b1529b81 100644 --- a/results-tabulation-api/exception/__init__.py +++ b/results-tabulation-api/exception/__init__.py @@ -23,3 +23,7 @@ def InternalServerErrorException(message="", code=None): def NotImplementedException(message="", code=None): raise ProblemException(501, "Not Implemented", message, "NotImplemented", code) + + +def InvalidInputException(message="", code=None): + raise ProblemException(400, "Invalid Input", message, "Forbidden", code) diff --git a/results-tabulation-api/exception/messages.py b/results-tabulation-api/exception/messages.py index 71b0bce1..ec74d566 100644 --- a/results-tabulation-api/exception/messages.py +++ b/results-tabulation-api/exception/messages.py @@ -34,6 +34,7 @@ MESSAGE_CODE_TALLY_SHEET_NOT_ALLOWED_TO_BE_NOTIFIED = 4006 MESSAGE_CODE_TALLY_SHEET_NOT_ALLOWED_TO_BE_RELEASED = 4007 MESSAGE_CODE_TALLY_SHEET_CANNOT_BE_UNLOCKED_WHILE_HAVING_VERIFIED_PARENT_SUMMARY_SHEETS = 4008 +MESSAGE_CODE_INVALID_INPUT = 4009 # Internal server error MESSAGE_CODE_PDF_SERVICE_FETCH_FAILED = 5000 diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index b9cb315d..4e76f8c0 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -156,3 +156,14 @@ def get_sum_of_all_and_nan_otherwise(array): result += val return result + + +def input_is_valid(content_array): + invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] + for array_item in content_array: + for value in array_item: + text_value = str(array_item[value]) + for char in invalid_strings: + if char in text_value or len(text_value) > 500: + return False + return True \ No newline at end of file diff --git a/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js b/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js index 76394215..36b105bf 100644 --- a/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js +++ b/results-tabulation-ui/src/components/tally-sheet/tally-sheet-edit/index.js @@ -82,12 +82,12 @@ export function useTallySheetEdit(props) { const body = getTallySheetRequestBody(); if (validateTallySheetContent()) { - setSaved(true); setProcessing(true); setProcessingLabel("Saving"); try { const tallySheet = await tallySheetContext.saveTallySheetVersion(tallySheetId, tallySheetCode, body); setTallySheetVersion(tallySheet.latestVersion); + setSaved(true); } catch (e) { const errorCode = getErrorCode(e); messagesContext.push({ diff --git a/results-tabulation-ui/src/locale/messages_en.js b/results-tabulation-ui/src/locale/messages_en.js index 3a55339d..5099f3db 100644 --- a/results-tabulation-ui/src/locale/messages_en.js +++ b/results-tabulation-ui/src/locale/messages_en.js @@ -54,6 +54,6 @@ export const API_MESSAGES_EN = { 4005: "Workflow action is now allowed.", 4006: "Tally sheet is not allowed to be notified.", 4007: "Tally sheet is not allowed to be release.", - 4008: "Cannot request changes since the data from this report has been already aggregated in verified summary reports." - + 4008: "Cannot request changes since the data from this report has been already aggregated in verified summary reports.", + 4009: "Invalid characters used. Please check your inputs" }