Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lack of Input Validation in Note Creation #8

Closed
dr3394 opened this issue Sep 22, 2024 · 3 comments
Closed

Lack of Input Validation in Note Creation #8

dr3394 opened this issue Sep 22, 2024 · 3 comments

Comments

@dr3394
Copy link
Contributor

dr3394 commented Sep 22, 2024

There is no input validation or sanitization when creating or updating a note (create_note, update_note). This opens up the application to potential injection attacks, such as Cross-Site Scripting (XSS) or even command injection in the future.

Use input validation and sanitization libraries to filter out or encode potentially harmful input. For Flask, libraries like bleach can be used to sanitize user input.

@jjl9839
Copy link
Contributor

jjl9839 commented Sep 26, 2024

@CSGY-9223-Group3/engineering & @CSGY-9223-Group3/security
Bleach is deprecated, mozilla/bleach#698. Please use a different HTML sanitization library such as https://github.com/matthiask/html-sanitizer/

esamnyu added a commit that referenced this issue Sep 27, 2024
- Add html-sanitizer library to sanitize user input
- Sanitize data in create_note and update_note functions
- Prevent potential XSS and injection attacks
- Address issue #8: Lack of Input Validation in Note Creation

This commit enhances the security of the application by
implementing input sanitization for user-generated content,
reducing the risk of malicious code injection.
@esamnyu
Copy link
Contributor

esamnyu commented Sep 27, 2024

Thank you @dr3394 for raising this important security concern, and @jjl9839 for the updated recommendation on the sanitization library.

We have addressed this issue by implementing input sanitization for both note creation and updates. Here are the changes we've made:

  1. We've added the html-sanitizer library as recommended, which is actively maintained and suitable for our needs.

  2. We've updated both the create_note and update_note functions to sanitize user input before storing or updating note content.

  3. The sanitization process helps prevent potential XSS attacks and other injection vulnerabilities by removing potentially harmful HTML elements and attributes while preserving safe content.

Here's a snippet of the implemented changes:

from html_sanitizer import Sanitizer

sanitizer = Sanitizer()

def create_note(note_id, user, data, is_public):
    sanitized_data = sanitizer.sanitize(data)
    notes[note_id] = {"text": sanitized_data, "author": user, "isPublic": is_public}
    # ... rest of the function

def update_note(note_id, user, data):
    if can_user_modify(user, note_id):
        sanitized_data = sanitizer.sanitize(data)
        notes[note_id]["text"] = sanitized_data
        # ... rest of the function

@esamnyu esamnyu closed this as completed Sep 27, 2024
@dr3394
Copy link
Contributor Author

dr3394 commented Sep 29, 2024

Adjusted to make it a function:

def sanitize_input(data):
    """Sanitize user input to prevent XSS."""
    return sanitizer.sanitize(data)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants