Replace bleach with nh3.

This commit is contained in:
Wout Bouckaert 2023-08-12 21:53:26 -06:00
parent 6421d4f2d5
commit ad9042e88f
No known key found for this signature in database
7 changed files with 79 additions and 83 deletions

View File

@ -5,7 +5,7 @@ import re
import logging
import time
import urllib.parse
import bleach
import nh3
import tornado.web
import tornado.escape
@ -29,7 +29,7 @@ class AjaxHandler(BaseHandler):
@tornado.web.authenticated
def get(self, page):
_, _, exec_user = self.current_user
error = bleach.clean(self.get_argument("error", "WTF Error!"))
error = nh3.clean(self.get_argument("error", "WTF Error!"))
template = "panel/denied.html"
@ -48,7 +48,7 @@ class AjaxHandler(BaseHandler):
self.redirect("/panel/error?error=Server ID Not Found")
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
server_data = self.controller.servers.get_server_data_by_id(server_id)
if not server_data:
@ -246,7 +246,7 @@ class AjaxHandler(BaseHandler):
if not self.check_server_id(server_id, "get_tree"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if Helpers.validate_traversal(
self.controller.servers.get_server_data_by_id(server_id)["path"], path
@ -327,7 +327,7 @@ class AjaxHandler(BaseHandler):
elif page == "send_order":
self.controller.users.update_server_order(
exec_user["user_id"], bleach.clean(self.get_argument("order"))
exec_user["user_id"], nh3.clean(self.get_argument("order"))
)
return
@ -392,8 +392,8 @@ class AjaxHandler(BaseHandler):
if not superuser:
self.redirect("/panel/error?error=Unauthorized access to Backups")
return
server_id = bleach.clean(self.get_argument("id", None))
zip_name = bleach.clean(self.get_argument("zip_file", None))
server_id = nh3.clean(self.get_argument("id", None))
zip_name = nh3.clean(self.get_argument("zip_file", None))
svr_obj = self.controller.servers.get_server_obj(server_id)
server_data = self.controller.servers.get_server_data_by_id(server_id)
@ -652,7 +652,7 @@ class AjaxHandler(BaseHandler):
if not self.check_server_id(server_id, "del_backup"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not (
@ -684,7 +684,7 @@ class AjaxHandler(BaseHandler):
f"Server ID not defined in {page_name} ajax call ({server_id})"
)
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
# does this server id exist?
if not self.controller.servers.server_id_exists(server_id):

View File

@ -2,7 +2,7 @@ import logging
import re
import typing as t
import orjson
import bleach
import nh3
import tornado.web
from app.classes.models.crafty_permissions import EnumPermissionsCrafty
@ -93,7 +93,7 @@ class BaseHandler(tornado.web.RequestHandler):
if type(text) in self.nobleach:
logger.debug("Auto-bleaching - bypass type")
return text
return bleach.clean(text)
return nh3.clean(text)
def get_argument(
self,

View File

@ -1,6 +1,6 @@
import os
import logging
import bleach
import nh3
import tornado.web
import tornado.escape
@ -55,7 +55,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "get_file"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if not self.helper.is_subdir(
file_path,
@ -92,7 +92,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "get_tree"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if Helpers.validate_traversal(
self.controller.servers.get_server_data_by_id(server_id)["path"], path
@ -113,7 +113,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "get_tree"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if Helpers.validate_traversal(
self.controller.servers.get_server_data_by_id(server_id)["path"], path
@ -161,7 +161,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "create_file"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if not self.helper.is_subdir(
file_path,
@ -194,7 +194,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "create_dir"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if not self.helper.is_subdir(
dir_path,
@ -259,7 +259,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "del_file"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not (
@ -293,7 +293,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "del_dir"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not self.helper.is_subdir(
@ -346,7 +346,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "save_file"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if not self.helper.is_subdir(
file_path,
@ -401,7 +401,7 @@ class FileHandler(BaseHandler):
if not self.check_server_id(server_id, "rename_file"):
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
if item_path is None or new_item_name is None:
logger.warning("Invalid path(s) in rename_file file ajax call")
@ -450,7 +450,7 @@ class FileHandler(BaseHandler):
f"Server ID not defined in {page_name} file ajax call ({server_id})"
)
return
server_id = bleach.clean(server_id)
server_id = nh3.clean(server_id)
# does this server id exist?
if not self.controller.servers.server_id_exists(server_id):

View File

@ -7,7 +7,7 @@ import json
import logging
import threading
import urllib.parse
import bleach
import nh3
import requests
import tornado.web
import tornado.escape
@ -67,9 +67,7 @@ class PanelHandler(BaseHandler):
) in self.controller.crafty_perms.list_defined_crafty_permissions():
argument = int(
float(
bleach.clean(
self.get_argument(f"permission_{permission.name}", "0")
)
nh3.clean(self.get_argument(f"permission_{permission.name}", "0"))
)
)
if argument:
@ -78,9 +76,7 @@ class PanelHandler(BaseHandler):
)
q_argument = int(
float(
bleach.clean(self.get_argument(f"quantity_{permission.name}", "0"))
)
float(nh3.clean(self.get_argument(f"quantity_{permission.name}", "0")))
)
if q_argument:
server_quantity[permission.name] = q_argument
@ -479,7 +475,7 @@ class PanelHandler(BaseHandler):
template = "panel/dashboard.html"
elif page == "server_detail":
subpage = bleach.clean(self.get_argument("subpage", ""))
subpage = nh3.clean(self.get_argument("subpage", ""))
server_id = self.check_server_id()
if server_id is None:
@ -1284,7 +1280,7 @@ class PanelHandler(BaseHandler):
template = "panel/panel_edit_user_apikeys.html"
elif page == "remove_user":
user_id = bleach.clean(self.get_argument("id", None))
user_id = nh3.clean(self.get_argument("id", None))
if (
not superuser
@ -1416,7 +1412,7 @@ class PanelHandler(BaseHandler):
template = "panel/panel_edit_role.html"
elif page == "remove_role":
role_id = bleach.clean(self.get_argument("id", None))
role_id = nh3.clean(self.get_argument("id", None))
if (
not superuser
@ -1604,7 +1600,7 @@ class PanelHandler(BaseHandler):
backup_path = Helpers.wtol_path(backup_path)
else:
backup_path = server_obj.backup_path
max_backups = bleach.clean(self.get_argument("max_backups", None))
max_backups = nh3.clean(self.get_argument("max_backups", None))
server_obj = self.controller.servers.get_server_obj(server_id)
@ -1665,15 +1661,15 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/config_json")
elif page == "edit_user":
if bleach.clean(self.get_argument("username", None)).lower() == "system":
if nh3.clean(self.get_argument("username", None)).lower() == "system":
self.redirect(
"/panel/error?error=Unauthorized access: "
"system user is not editable"
)
user_id = bleach.clean(self.get_argument("id", None))
user_id = nh3.clean(self.get_argument("id", None))
user = self.controller.users.get_user_by_id(user_id)
username = bleach.clean(self.get_argument("username", None).lower())
theme = bleach.clean(self.get_argument("theme", "default"))
username = nh3.clean(self.get_argument("username", None).lower())
theme = nh3.clean(self.get_argument("theme", "default"))
if (
username != self.controller.users.get_user_by_id(user_id)["username"]
and username in self.controller.users.get_all_usernames()
@ -1681,16 +1677,16 @@ class PanelHandler(BaseHandler):
self.redirect(
"/panel/error?error=Duplicate User: Useranme already exists."
)
password0 = bleach.clean(self.get_argument("password0", None))
password1 = bleach.clean(self.get_argument("password1", None))
email = bleach.clean(self.get_argument("email", "default@example.com"))
password0 = nh3.clean(self.get_argument("password0", None))
password1 = nh3.clean(self.get_argument("password1", None))
email = nh3.clean(self.get_argument("email", "default@example.com"))
enabled = int(float(self.get_argument("enabled", "0")))
try:
hints = int(bleach.clean(self.get_argument("hints")))
hints = int(nh3.clean(self.get_argument("hints")))
hints = True
except:
hints = False
lang = bleach.clean(
lang = nh3.clean(
self.get_argument("language"), self.helper.get_setting("language")
)
@ -1699,7 +1695,7 @@ class PanelHandler(BaseHandler):
# We don't want that. Automatically make them stay super user
# since we know they are.
if str(exec_user["user_id"]) != str(user_id):
superuser = int(bleach.clean(self.get_argument("superuser", "0")))
superuser = int(nh3.clean(self.get_argument("superuser", "0")))
else:
superuser = 1
else:
@ -1877,7 +1873,7 @@ class PanelHandler(BaseHandler):
self.finish()
elif page == "add_user":
username = bleach.clean(self.get_argument("username", None).lower())
username = nh3.clean(self.get_argument("username", None).lower())
if username.lower() == "system":
self.redirect(
"/panel/error?error=Unauthorized access: "
@ -1885,18 +1881,18 @@ class PanelHandler(BaseHandler):
" Please choose a different username."
)
return
password0 = bleach.clean(self.get_argument("password0", None))
password1 = bleach.clean(self.get_argument("password1", None))
email = bleach.clean(self.get_argument("email", "default@example.com"))
password0 = nh3.clean(self.get_argument("password0", None))
password1 = nh3.clean(self.get_argument("password1", None))
email = nh3.clean(self.get_argument("email", "default@example.com"))
enabled = int(float(self.get_argument("enabled", "0")))
theme = bleach.clean(self.get_argument("theme"), "default")
theme = nh3.clean(self.get_argument("theme"), "default")
hints = True
lang = bleach.clean(
lang = nh3.clean(
self.get_argument("lang", self.helper.get_setting("language"))
)
# We don't want a non-super user to be able to create a super user.
if superuser:
new_superuser = int(bleach.clean(self.get_argument("superuser", "0")))
new_superuser = int(nh3.clean(self.get_argument("superuser", "0")))
else:
new_superuser = 0
@ -1971,8 +1967,8 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/panel_config")
elif page == "edit_role":
role_id = bleach.clean(self.get_argument("id", None))
role_name = bleach.clean(self.get_argument("role_name", None))
role_id = nh3.clean(self.get_argument("id", None))
role_name = nh3.clean(self.get_argument("role_name", None))
role = self.controller.roles.get_role(role_id)
@ -2018,7 +2014,7 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/panel_config")
elif page == "add_role":
role_name = bleach.clean(self.get_argument("role_name", None))
role_name = nh3.clean(self.get_argument("role_name", None))
if exec_user["superuser"]:
manager = self.get_argument("manager", None)
if manager == "":
@ -2092,7 +2088,7 @@ class PanelHandler(BaseHandler):
}
if page == "remove_apikey":
key_id = bleach.clean(self.get_argument("id", None))
key_id = nh3.clean(self.get_argument("id", None))
if not superuser:
self.redirect("/panel/error?error=Unauthorized access: not superuser")

View File

@ -1,5 +1,5 @@
import logging
import bleach
import nh3
from app.classes.shared.helpers import Helpers
from app.classes.models.users import HelperUsers
@ -28,8 +28,8 @@ class PublicHandler(BaseHandler):
# self.clear_cookie("user_data")
def get(self, page=None):
error = bleach.clean(self.get_argument("error", "Invalid Login!"))
error_msg = bleach.clean(self.get_argument("error_msg", ""))
error = nh3.clean(self.get_argument("error", "Invalid Login!"))
error_msg = nh3.clean(self.get_argument("error_msg", ""))
page_data = {
"version": self.helper.get_version_string(),
@ -82,8 +82,8 @@ class PublicHandler(BaseHandler):
)
def post(self, page=None):
error = bleach.clean(self.get_argument("error", "Invalid Login!"))
error_msg = bleach.clean(self.get_argument("error_msg", ""))
error = nh3.clean(self.get_argument("error", "Invalid Login!"))
error_msg = nh3.clean(self.get_argument("error_msg", ""))
page_data = {
"version": self.helper.get_version_string(),
@ -100,8 +100,8 @@ class PublicHandler(BaseHandler):
if self.request.query:
next_page = "/login?" + self.request.query
entered_username = bleach.clean(self.get_argument("username"))
entered_password = bleach.clean(self.get_argument("password"))
entered_username = nh3.clean(self.get_argument("username"))
entered_password = nh3.clean(self.get_argument("password"))
# pylint: disable=no-member
try:

View File

@ -4,7 +4,7 @@ import os
import time
import tornado.web
import tornado.escape
import bleach
import nh3
from app.classes.models.crafty_permissions import EnumPermissionsCrafty
from app.classes.shared.helpers import Helpers
@ -195,8 +195,8 @@ class ServerHandler(BaseHandler):
}
if page == "command":
server_id = bleach.clean(self.get_argument("id", None))
command = bleach.clean(self.get_argument("command", None))
server_id = nh3.clean(self.get_argument("id", None))
command = nh3.clean(self.get_argument("command", None))
if server_id is not None:
if command == "clone_server":
@ -311,24 +311,24 @@ class ServerHandler(BaseHandler):
user_roles = self.controller.roles.get_all_roles()
else:
user_roles = self.get_user_roles()
server = bleach.clean(self.get_argument("server", ""))
server_name = bleach.clean(self.get_argument("server_name", ""))
min_mem = bleach.clean(self.get_argument("min_memory", ""))
max_mem = bleach.clean(self.get_argument("max_memory", ""))
port = bleach.clean(self.get_argument("port", ""))
server = nh3.clean(self.get_argument("server", ""))
server_name = nh3.clean(self.get_argument("server_name", ""))
min_mem = nh3.clean(self.get_argument("min_memory", ""))
max_mem = nh3.clean(self.get_argument("max_memory", ""))
port = nh3.clean(self.get_argument("port", ""))
if int(port) < 1 or int(port) > 65535:
self.redirect(
"/panel/error?error=Constraint Error: "
"Port must be greater than 0 and less than 65535"
)
return
import_type = bleach.clean(self.get_argument("create_type", ""))
import_server_path = bleach.clean(self.get_argument("server_path", ""))
import_server_jar = bleach.clean(self.get_argument("server_jar", ""))
import_type = nh3.clean(self.get_argument("create_type", ""))
import_server_path = nh3.clean(self.get_argument("server_path", ""))
import_server_jar = nh3.clean(self.get_argument("server_jar", ""))
server_parts = server.split("|")
captured_roles = []
for role in user_roles:
if bleach.clean(self.get_argument(str(role), "")) == "on":
if nh3.clean(self.get_argument(str(role), "")) == "on":
captured_roles.append(role)
if not server_name:
@ -372,7 +372,7 @@ class ServerHandler(BaseHandler):
)
elif import_type == "import_zip":
# here import_server_path means the zip path
zip_path = bleach.clean(self.get_argument("root_path"))
zip_path = nh3.clean(self.get_argument("root_path"))
good_path = Helpers.check_path_exists(zip_path)
if not good_path:
self.redirect("/panel/error?error=Temp path not found!")
@ -476,9 +476,9 @@ class ServerHandler(BaseHandler):
user_roles = self.controller.roles.get_all_roles()
else:
user_roles = self.controller.roles.get_all_roles()
server = bleach.clean(self.get_argument("server", ""))
server_name = bleach.clean(self.get_argument("server_name", ""))
port = bleach.clean(self.get_argument("port", ""))
server = nh3.clean(self.get_argument("server", ""))
server_name = nh3.clean(self.get_argument("server_name", ""))
port = nh3.clean(self.get_argument("port", ""))
if not port:
port = 19132
@ -488,13 +488,13 @@ class ServerHandler(BaseHandler):
"Port must be greater than 0 and less than 65535"
)
return
import_type = bleach.clean(self.get_argument("create_type", ""))
import_server_path = bleach.clean(self.get_argument("server_path", ""))
import_server_exe = bleach.clean(self.get_argument("server_jar", ""))
import_type = nh3.clean(self.get_argument("create_type", ""))
import_server_path = nh3.clean(self.get_argument("server_path", ""))
import_server_exe = nh3.clean(self.get_argument("server_jar", ""))
server_parts = server.split("|")
captured_roles = []
for role in user_roles:
if bleach.clean(self.get_argument(str(role), "")) == "on":
if nh3.clean(self.get_argument(str(role), "")) == "on":
captured_roles.append(role)
if not server_name:
@ -536,7 +536,7 @@ class ServerHandler(BaseHandler):
)
elif import_type == "import_zip":
# here import_server_path means the zip path
zip_path = bleach.clean(self.get_argument("root_path"))
zip_path = nh3.clean(self.get_argument("root_path"))
good_path = Helpers.check_path_exists(zip_path)
if not good_path:
self.redirect("/panel/error?error=Temp path not found!")

View File

@ -1,7 +1,7 @@
apscheduler==3.8.1
argon2-cffi==21.3
bleach==4.1
nh3==0.2.14
cached_property==1.5.2
colorama==0.4
croniter==1.3.5