From ad9042e88fe815f85f2f143400ee850f06076903 Mon Sep 17 00:00:00 2001 From: Wout Bouckaert Date: Sat, 12 Aug 2023 21:53:26 -0600 Subject: [PATCH] Replace bleach with nh3. --- app/classes/web/ajax_handler.py | 18 +++++----- app/classes/web/base_handler.py | 4 +-- app/classes/web/file_handler.py | 22 ++++++------ app/classes/web/panel_handler.py | 60 +++++++++++++++---------------- app/classes/web/public_handler.py | 14 ++++---- app/classes/web/server_handler.py | 42 +++++++++++----------- requirements.txt | 2 +- 7 files changed, 79 insertions(+), 83 deletions(-) diff --git a/app/classes/web/ajax_handler.py b/app/classes/web/ajax_handler.py index efe8d2fa..df2d701d 100644 --- a/app/classes/web/ajax_handler.py +++ b/app/classes/web/ajax_handler.py @@ -5,7 +5,7 @@ import re import logging import time import urllib.parse -import bleach +import nh3 import tornado.web import tornado.escape @@ -29,7 +29,7 @@ class AjaxHandler(BaseHandler): @tornado.web.authenticated def get(self, page): _, _, exec_user = self.current_user - error = bleach.clean(self.get_argument("error", "WTF Error!")) + error = nh3.clean(self.get_argument("error", "WTF Error!")) template = "panel/denied.html" @@ -48,7 +48,7 @@ class AjaxHandler(BaseHandler): self.redirect("/panel/error?error=Server ID Not Found") return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) server_data = self.controller.servers.get_server_data_by_id(server_id) if not server_data: @@ -246,7 +246,7 @@ class AjaxHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -327,7 +327,7 @@ class AjaxHandler(BaseHandler): elif page == "send_order": self.controller.users.update_server_order( - exec_user["user_id"], bleach.clean(self.get_argument("order")) + exec_user["user_id"], nh3.clean(self.get_argument("order")) ) return @@ -392,8 +392,8 @@ class AjaxHandler(BaseHandler): if not superuser: self.redirect("/panel/error?error=Unauthorized access to Backups") return - server_id = bleach.clean(self.get_argument("id", None)) - zip_name = bleach.clean(self.get_argument("zip_file", None)) + server_id = nh3.clean(self.get_argument("id", None)) + zip_name = nh3.clean(self.get_argument("zip_file", None)) svr_obj = self.controller.servers.get_server_obj(server_id) server_data = self.controller.servers.get_server_data_by_id(server_id) @@ -652,7 +652,7 @@ class AjaxHandler(BaseHandler): if not self.check_server_id(server_id, "del_backup"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( @@ -684,7 +684,7 @@ class AjaxHandler(BaseHandler): f"Server ID not defined in {page_name} ajax call ({server_id})" ) return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) # does this server id exist? if not self.controller.servers.server_id_exists(server_id): diff --git a/app/classes/web/base_handler.py b/app/classes/web/base_handler.py index e772d633..11a62ff8 100644 --- a/app/classes/web/base_handler.py +++ b/app/classes/web/base_handler.py @@ -2,7 +2,7 @@ import logging import re import typing as t import orjson -import bleach +import nh3 import tornado.web from app.classes.models.crafty_permissions import EnumPermissionsCrafty @@ -93,7 +93,7 @@ class BaseHandler(tornado.web.RequestHandler): if type(text) in self.nobleach: logger.debug("Auto-bleaching - bypass type") return text - return bleach.clean(text) + return nh3.clean(text) def get_argument( self, diff --git a/app/classes/web/file_handler.py b/app/classes/web/file_handler.py index e2d07476..f3c05151 100644 --- a/app/classes/web/file_handler.py +++ b/app/classes/web/file_handler.py @@ -1,6 +1,6 @@ import os import logging -import bleach +import nh3 import tornado.web import tornado.escape @@ -55,7 +55,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_file"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if not self.helper.is_subdir( file_path, @@ -92,7 +92,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -113,7 +113,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -161,7 +161,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "create_file"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if not self.helper.is_subdir( file_path, @@ -194,7 +194,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "create_dir"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if not self.helper.is_subdir( dir_path, @@ -259,7 +259,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "del_file"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( @@ -293,7 +293,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "del_dir"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not self.helper.is_subdir( @@ -346,7 +346,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "save_file"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if not self.helper.is_subdir( file_path, @@ -401,7 +401,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "rename_file"): return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) if item_path is None or new_item_name is None: logger.warning("Invalid path(s) in rename_file file ajax call") @@ -450,7 +450,7 @@ class FileHandler(BaseHandler): f"Server ID not defined in {page_name} file ajax call ({server_id})" ) return - server_id = bleach.clean(server_id) + server_id = nh3.clean(server_id) # does this server id exist? if not self.controller.servers.server_id_exists(server_id): diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 20c76c1a..0dc3c586 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -7,7 +7,7 @@ import json import logging import threading import urllib.parse -import bleach +import nh3 import requests import tornado.web import tornado.escape @@ -67,9 +67,7 @@ class PanelHandler(BaseHandler): ) in self.controller.crafty_perms.list_defined_crafty_permissions(): argument = int( float( - bleach.clean( - self.get_argument(f"permission_{permission.name}", "0") - ) + nh3.clean(self.get_argument(f"permission_{permission.name}", "0")) ) ) if argument: @@ -78,9 +76,7 @@ class PanelHandler(BaseHandler): ) q_argument = int( - float( - bleach.clean(self.get_argument(f"quantity_{permission.name}", "0")) - ) + float(nh3.clean(self.get_argument(f"quantity_{permission.name}", "0"))) ) if q_argument: server_quantity[permission.name] = q_argument @@ -479,7 +475,7 @@ class PanelHandler(BaseHandler): template = "panel/dashboard.html" elif page == "server_detail": - subpage = bleach.clean(self.get_argument("subpage", "")) + subpage = nh3.clean(self.get_argument("subpage", "")) server_id = self.check_server_id() if server_id is None: @@ -1284,7 +1280,7 @@ class PanelHandler(BaseHandler): template = "panel/panel_edit_user_apikeys.html" elif page == "remove_user": - user_id = bleach.clean(self.get_argument("id", None)) + user_id = nh3.clean(self.get_argument("id", None)) if ( not superuser @@ -1416,7 +1412,7 @@ class PanelHandler(BaseHandler): template = "panel/panel_edit_role.html" elif page == "remove_role": - role_id = bleach.clean(self.get_argument("id", None)) + role_id = nh3.clean(self.get_argument("id", None)) if ( not superuser @@ -1604,7 +1600,7 @@ class PanelHandler(BaseHandler): backup_path = Helpers.wtol_path(backup_path) else: backup_path = server_obj.backup_path - max_backups = bleach.clean(self.get_argument("max_backups", None)) + max_backups = nh3.clean(self.get_argument("max_backups", None)) server_obj = self.controller.servers.get_server_obj(server_id) @@ -1665,15 +1661,15 @@ class PanelHandler(BaseHandler): self.redirect("/panel/config_json") elif page == "edit_user": - if bleach.clean(self.get_argument("username", None)).lower() == "system": + if nh3.clean(self.get_argument("username", None)).lower() == "system": self.redirect( "/panel/error?error=Unauthorized access: " "system user is not editable" ) - user_id = bleach.clean(self.get_argument("id", None)) + user_id = nh3.clean(self.get_argument("id", None)) user = self.controller.users.get_user_by_id(user_id) - username = bleach.clean(self.get_argument("username", None).lower()) - theme = bleach.clean(self.get_argument("theme", "default")) + username = nh3.clean(self.get_argument("username", None).lower()) + theme = nh3.clean(self.get_argument("theme", "default")) if ( username != self.controller.users.get_user_by_id(user_id)["username"] and username in self.controller.users.get_all_usernames() @@ -1681,16 +1677,16 @@ class PanelHandler(BaseHandler): self.redirect( "/panel/error?error=Duplicate User: Useranme already exists." ) - password0 = bleach.clean(self.get_argument("password0", None)) - password1 = bleach.clean(self.get_argument("password1", None)) - email = bleach.clean(self.get_argument("email", "default@example.com")) + password0 = nh3.clean(self.get_argument("password0", None)) + password1 = nh3.clean(self.get_argument("password1", None)) + email = nh3.clean(self.get_argument("email", "default@example.com")) enabled = int(float(self.get_argument("enabled", "0"))) try: - hints = int(bleach.clean(self.get_argument("hints"))) + hints = int(nh3.clean(self.get_argument("hints"))) hints = True except: hints = False - lang = bleach.clean( + lang = nh3.clean( self.get_argument("language"), self.helper.get_setting("language") ) @@ -1699,7 +1695,7 @@ class PanelHandler(BaseHandler): # We don't want that. Automatically make them stay super user # since we know they are. if str(exec_user["user_id"]) != str(user_id): - superuser = int(bleach.clean(self.get_argument("superuser", "0"))) + superuser = int(nh3.clean(self.get_argument("superuser", "0"))) else: superuser = 1 else: @@ -1877,7 +1873,7 @@ class PanelHandler(BaseHandler): self.finish() elif page == "add_user": - username = bleach.clean(self.get_argument("username", None).lower()) + username = nh3.clean(self.get_argument("username", None).lower()) if username.lower() == "system": self.redirect( "/panel/error?error=Unauthorized access: " @@ -1885,18 +1881,18 @@ class PanelHandler(BaseHandler): " Please choose a different username." ) return - password0 = bleach.clean(self.get_argument("password0", None)) - password1 = bleach.clean(self.get_argument("password1", None)) - email = bleach.clean(self.get_argument("email", "default@example.com")) + password0 = nh3.clean(self.get_argument("password0", None)) + password1 = nh3.clean(self.get_argument("password1", None)) + email = nh3.clean(self.get_argument("email", "default@example.com")) enabled = int(float(self.get_argument("enabled", "0"))) - theme = bleach.clean(self.get_argument("theme"), "default") + theme = nh3.clean(self.get_argument("theme"), "default") hints = True - lang = bleach.clean( + lang = nh3.clean( self.get_argument("lang", self.helper.get_setting("language")) ) # We don't want a non-super user to be able to create a super user. if superuser: - new_superuser = int(bleach.clean(self.get_argument("superuser", "0"))) + new_superuser = int(nh3.clean(self.get_argument("superuser", "0"))) else: new_superuser = 0 @@ -1971,8 +1967,8 @@ class PanelHandler(BaseHandler): self.redirect("/panel/panel_config") elif page == "edit_role": - role_id = bleach.clean(self.get_argument("id", None)) - role_name = bleach.clean(self.get_argument("role_name", None)) + role_id = nh3.clean(self.get_argument("id", None)) + role_name = nh3.clean(self.get_argument("role_name", None)) role = self.controller.roles.get_role(role_id) @@ -2018,7 +2014,7 @@ class PanelHandler(BaseHandler): self.redirect("/panel/panel_config") elif page == "add_role": - role_name = bleach.clean(self.get_argument("role_name", None)) + role_name = nh3.clean(self.get_argument("role_name", None)) if exec_user["superuser"]: manager = self.get_argument("manager", None) if manager == "": @@ -2092,7 +2088,7 @@ class PanelHandler(BaseHandler): } if page == "remove_apikey": - key_id = bleach.clean(self.get_argument("id", None)) + key_id = nh3.clean(self.get_argument("id", None)) if not superuser: self.redirect("/panel/error?error=Unauthorized access: not superuser") diff --git a/app/classes/web/public_handler.py b/app/classes/web/public_handler.py index 76c6a8be..b7d1be9b 100644 --- a/app/classes/web/public_handler.py +++ b/app/classes/web/public_handler.py @@ -1,5 +1,5 @@ import logging -import bleach +import nh3 from app.classes.shared.helpers import Helpers from app.classes.models.users import HelperUsers @@ -28,8 +28,8 @@ class PublicHandler(BaseHandler): # self.clear_cookie("user_data") def get(self, page=None): - error = bleach.clean(self.get_argument("error", "Invalid Login!")) - error_msg = bleach.clean(self.get_argument("error_msg", "")) + error = nh3.clean(self.get_argument("error", "Invalid Login!")) + error_msg = nh3.clean(self.get_argument("error_msg", "")) page_data = { "version": self.helper.get_version_string(), @@ -82,8 +82,8 @@ class PublicHandler(BaseHandler): ) def post(self, page=None): - error = bleach.clean(self.get_argument("error", "Invalid Login!")) - error_msg = bleach.clean(self.get_argument("error_msg", "")) + error = nh3.clean(self.get_argument("error", "Invalid Login!")) + error_msg = nh3.clean(self.get_argument("error_msg", "")) page_data = { "version": self.helper.get_version_string(), @@ -100,8 +100,8 @@ class PublicHandler(BaseHandler): if self.request.query: next_page = "/login?" + self.request.query - entered_username = bleach.clean(self.get_argument("username")) - entered_password = bleach.clean(self.get_argument("password")) + entered_username = nh3.clean(self.get_argument("username")) + entered_password = nh3.clean(self.get_argument("password")) # pylint: disable=no-member try: diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index eae3ce0c..42cb8ce5 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -4,7 +4,7 @@ import os import time import tornado.web import tornado.escape -import bleach +import nh3 from app.classes.models.crafty_permissions import EnumPermissionsCrafty from app.classes.shared.helpers import Helpers @@ -195,8 +195,8 @@ class ServerHandler(BaseHandler): } if page == "command": - server_id = bleach.clean(self.get_argument("id", None)) - command = bleach.clean(self.get_argument("command", None)) + server_id = nh3.clean(self.get_argument("id", None)) + command = nh3.clean(self.get_argument("command", None)) if server_id is not None: if command == "clone_server": @@ -311,24 +311,24 @@ class ServerHandler(BaseHandler): user_roles = self.controller.roles.get_all_roles() else: user_roles = self.get_user_roles() - server = bleach.clean(self.get_argument("server", "")) - server_name = bleach.clean(self.get_argument("server_name", "")) - min_mem = bleach.clean(self.get_argument("min_memory", "")) - max_mem = bleach.clean(self.get_argument("max_memory", "")) - port = bleach.clean(self.get_argument("port", "")) + server = nh3.clean(self.get_argument("server", "")) + server_name = nh3.clean(self.get_argument("server_name", "")) + min_mem = nh3.clean(self.get_argument("min_memory", "")) + max_mem = nh3.clean(self.get_argument("max_memory", "")) + port = nh3.clean(self.get_argument("port", "")) if int(port) < 1 or int(port) > 65535: self.redirect( "/panel/error?error=Constraint Error: " "Port must be greater than 0 and less than 65535" ) return - import_type = bleach.clean(self.get_argument("create_type", "")) - import_server_path = bleach.clean(self.get_argument("server_path", "")) - import_server_jar = bleach.clean(self.get_argument("server_jar", "")) + import_type = nh3.clean(self.get_argument("create_type", "")) + import_server_path = nh3.clean(self.get_argument("server_path", "")) + import_server_jar = nh3.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] for role in user_roles: - if bleach.clean(self.get_argument(str(role), "")) == "on": + if nh3.clean(self.get_argument(str(role), "")) == "on": captured_roles.append(role) if not server_name: @@ -372,7 +372,7 @@ class ServerHandler(BaseHandler): ) elif import_type == "import_zip": # here import_server_path means the zip path - zip_path = bleach.clean(self.get_argument("root_path")) + zip_path = nh3.clean(self.get_argument("root_path")) good_path = Helpers.check_path_exists(zip_path) if not good_path: self.redirect("/panel/error?error=Temp path not found!") @@ -476,9 +476,9 @@ class ServerHandler(BaseHandler): user_roles = self.controller.roles.get_all_roles() else: user_roles = self.controller.roles.get_all_roles() - server = bleach.clean(self.get_argument("server", "")) - server_name = bleach.clean(self.get_argument("server_name", "")) - port = bleach.clean(self.get_argument("port", "")) + server = nh3.clean(self.get_argument("server", "")) + server_name = nh3.clean(self.get_argument("server_name", "")) + port = nh3.clean(self.get_argument("port", "")) if not port: port = 19132 @@ -488,13 +488,13 @@ class ServerHandler(BaseHandler): "Port must be greater than 0 and less than 65535" ) return - import_type = bleach.clean(self.get_argument("create_type", "")) - import_server_path = bleach.clean(self.get_argument("server_path", "")) - import_server_exe = bleach.clean(self.get_argument("server_jar", "")) + import_type = nh3.clean(self.get_argument("create_type", "")) + import_server_path = nh3.clean(self.get_argument("server_path", "")) + import_server_exe = nh3.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] for role in user_roles: - if bleach.clean(self.get_argument(str(role), "")) == "on": + if nh3.clean(self.get_argument(str(role), "")) == "on": captured_roles.append(role) if not server_name: @@ -536,7 +536,7 @@ class ServerHandler(BaseHandler): ) elif import_type == "import_zip": # here import_server_path means the zip path - zip_path = bleach.clean(self.get_argument("root_path")) + zip_path = nh3.clean(self.get_argument("root_path")) good_path = Helpers.check_path_exists(zip_path) if not good_path: self.redirect("/panel/error?error=Temp path not found!") diff --git a/requirements.txt b/requirements.txt index 98e095f1..df3360a0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ apscheduler==3.8.1 argon2-cffi==21.3 -bleach==4.1 +nh3==0.2.14 cached_property==1.5.2 colorama==0.4 croniter==1.3.5