Remove hidden characters from form fields (#3597)

* Remove control and non-printable characters from form fields (server side)

* Update regex to properly filter out control characters only

* Add regex lib to requirements flie

* Fix regex in javascript (client side)

* add required unicode flag
This commit is contained in:
Oliver 2022-08-24 15:12:02 +10:00 committed by GitHub
parent 2dd5a43444
commit 69c3e5e222
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 42 additions and 3 deletions

View File

@ -2,6 +2,7 @@
from django.utils.translation import gettext_lazy as _
import regex
from bleach import clean
from rest_framework import generics, status
from rest_framework.exceptions import ValidationError
@ -71,6 +72,12 @@ class CleanMixin():
field: [_("Remove HTML tags from this value")]
})
# Remove ASCII control characters
cleaned = regex.sub(u'[\x01-\x1F]+', '', cleaned)
# Remove Unicode control characters
cleaned = regex.sub(u'[^\P{C}]+', '', cleaned)
return cleaned
def clean_data(self, data: dict) -> dict:

View File

@ -223,7 +223,10 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0)
def test_bleach(self):
"""Test that the data cleaning functionality is working"""
"""Test that the data cleaning functionality is working.
This helps to protect against XSS injection
"""
url = reverse('api-part-category-detail', kwargs={'pk': 1})
@ -244,6 +247,8 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
expected_code=400
)
self.assertIn('Remove HTML tags', str(response.data))
# Raw characters should be allowed
allowed = [
'<< hello',
@ -262,6 +267,30 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
self.assertEqual(response.data['description'], val)
def test_invisible_chars(self):
"""Test that invisible characters are removed from the input data"""
url = reverse('api-part-category-detail', kwargs={'pk': 1})
values = [
'A part\n category\n\t',
'A\t part\t category\t',
'A pa\rrt cat\r\r\regory',
'A part\u200e catego\u200fry\u202e'
]
for val in values:
response = self.patch(
url,
{
'description': val,
},
expected_code=200,
)
self.assertEqual(response.data['description'], 'A part category')
class PartOptionsAPITest(InvenTreeAPITestCase):
"""Tests for the various OPTIONS endpoints in the /part/ API.

View File

@ -341,8 +341,8 @@ function sanitizeInputString(s, options={}) {
// Remove ASCII control characters
s = s.replace(/[\x01-\x1F]+/g, '');
// Remove non-printable characters
s = s.replace(/[^ -~]+/g, '');
// Remove Unicode control characters
s = s.replace(/[\p{C}]+/gu, '');
s = s.trim();

View File

@ -30,6 +30,7 @@ pillow # Image manipulation
python-barcode[images] # Barcode generator
qrcode[pil] # QR code generator
rapidfuzz==0.7.6 # Fuzzy string matching
regex # Advanced regular expressions
sentry-sdk # Error reporting (optional)
setuptools # Standard depenedency
tablib[xls,xlsx,yaml] # Support for XLS and XLSX formats

View File

@ -194,6 +194,8 @@ redis==3.5.3
# via
# django-q
# django-redis
regex==2022.8.17
# via -r requirements.in
requests==2.28.1
# via
# coreapi