From 81d63575962b231235071c3e55dc64b8701a9f09 Mon Sep 17 00:00:00 2001 From: Iain Powrie Date: Mon, 4 Sep 2023 23:13:13 +0000 Subject: [PATCH] Revert "Merge branch 'refractor/remove-bleach' into 'dev'" This reverts merge request !616 --- app/classes/web/ajax_handler.py | 18 +++++----- app/classes/web/base_handler.py | 4 +-- app/classes/web/file_handler.py | 22 ++++++------ app/classes/web/panel_handler.py | 60 ++++++++++++++++--------------- app/classes/web/public_handler.py | 14 ++++---- app/classes/web/server_handler.py | 42 +++++++++++----------- requirements.txt | 2 +- 7 files changed, 83 insertions(+), 79 deletions(-) diff --git a/app/classes/web/ajax_handler.py b/app/classes/web/ajax_handler.py index df2d701d..efe8d2fa 100644 --- a/app/classes/web/ajax_handler.py +++ b/app/classes/web/ajax_handler.py @@ -5,7 +5,7 @@ import re import logging import time import urllib.parse -import nh3 +import bleach import tornado.web import tornado.escape @@ -29,7 +29,7 @@ class AjaxHandler(BaseHandler): @tornado.web.authenticated def get(self, page): _, _, exec_user = self.current_user - error = nh3.clean(self.get_argument("error", "WTF Error!")) + error = bleach.clean(self.get_argument("error", "WTF Error!")) template = "panel/denied.html" @@ -48,7 +48,7 @@ class AjaxHandler(BaseHandler): self.redirect("/panel/error?error=Server ID Not Found") return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) server_data = self.controller.servers.get_server_data_by_id(server_id) if not server_data: @@ -246,7 +246,7 @@ class AjaxHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -327,7 +327,7 @@ class AjaxHandler(BaseHandler): elif page == "send_order": self.controller.users.update_server_order( - exec_user["user_id"], nh3.clean(self.get_argument("order")) + exec_user["user_id"], bleach.clean(self.get_argument("order")) ) return @@ -392,8 +392,8 @@ class AjaxHandler(BaseHandler): if not superuser: self.redirect("/panel/error?error=Unauthorized access to Backups") return - server_id = nh3.clean(self.get_argument("id", None)) - zip_name = nh3.clean(self.get_argument("zip_file", None)) + server_id = bleach.clean(self.get_argument("id", None)) + zip_name = bleach.clean(self.get_argument("zip_file", None)) svr_obj = self.controller.servers.get_server_obj(server_id) server_data = self.controller.servers.get_server_data_by_id(server_id) @@ -652,7 +652,7 @@ class AjaxHandler(BaseHandler): if not self.check_server_id(server_id, "del_backup"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( @@ -684,7 +684,7 @@ class AjaxHandler(BaseHandler): f"Server ID not defined in {page_name} ajax call ({server_id})" ) return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) # does this server id exist? if not self.controller.servers.server_id_exists(server_id): diff --git a/app/classes/web/base_handler.py b/app/classes/web/base_handler.py index 11a62ff8..e772d633 100644 --- a/app/classes/web/base_handler.py +++ b/app/classes/web/base_handler.py @@ -2,7 +2,7 @@ import logging import re import typing as t import orjson -import nh3 +import bleach import tornado.web from app.classes.models.crafty_permissions import EnumPermissionsCrafty @@ -93,7 +93,7 @@ class BaseHandler(tornado.web.RequestHandler): if type(text) in self.nobleach: logger.debug("Auto-bleaching - bypass type") return text - return nh3.clean(text) + return bleach.clean(text) def get_argument( self, diff --git a/app/classes/web/file_handler.py b/app/classes/web/file_handler.py index f3c05151..e2d07476 100644 --- a/app/classes/web/file_handler.py +++ b/app/classes/web/file_handler.py @@ -1,6 +1,6 @@ import os import logging -import nh3 +import bleach import tornado.web import tornado.escape @@ -55,7 +55,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_file"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if not self.helper.is_subdir( file_path, @@ -92,7 +92,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -113,7 +113,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "get_tree"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if Helpers.validate_traversal( self.controller.servers.get_server_data_by_id(server_id)["path"], path @@ -161,7 +161,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "create_file"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if not self.helper.is_subdir( file_path, @@ -194,7 +194,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "create_dir"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if not self.helper.is_subdir( dir_path, @@ -259,7 +259,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "del_file"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( @@ -293,7 +293,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "del_dir"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) if not self.helper.is_subdir( @@ -346,7 +346,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "save_file"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if not self.helper.is_subdir( file_path, @@ -401,7 +401,7 @@ class FileHandler(BaseHandler): if not self.check_server_id(server_id, "rename_file"): return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) if item_path is None or new_item_name is None: logger.warning("Invalid path(s) in rename_file file ajax call") @@ -450,7 +450,7 @@ class FileHandler(BaseHandler): f"Server ID not defined in {page_name} file ajax call ({server_id})" ) return - server_id = nh3.clean(server_id) + server_id = bleach.clean(server_id) # does this server id exist? if not self.controller.servers.server_id_exists(server_id): diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 0dc3c586..20c76c1a 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -7,7 +7,7 @@ import json import logging import threading import urllib.parse -import nh3 +import bleach import requests import tornado.web import tornado.escape @@ -67,7 +67,9 @@ class PanelHandler(BaseHandler): ) in self.controller.crafty_perms.list_defined_crafty_permissions(): argument = int( float( - nh3.clean(self.get_argument(f"permission_{permission.name}", "0")) + bleach.clean( + self.get_argument(f"permission_{permission.name}", "0") + ) ) ) if argument: @@ -76,7 +78,9 @@ class PanelHandler(BaseHandler): ) q_argument = int( - float(nh3.clean(self.get_argument(f"quantity_{permission.name}", "0"))) + float( + bleach.clean(self.get_argument(f"quantity_{permission.name}", "0")) + ) ) if q_argument: server_quantity[permission.name] = q_argument @@ -475,7 +479,7 @@ class PanelHandler(BaseHandler): template = "panel/dashboard.html" elif page == "server_detail": - subpage = nh3.clean(self.get_argument("subpage", "")) + subpage = bleach.clean(self.get_argument("subpage", "")) server_id = self.check_server_id() if server_id is None: @@ -1280,7 +1284,7 @@ class PanelHandler(BaseHandler): template = "panel/panel_edit_user_apikeys.html" elif page == "remove_user": - user_id = nh3.clean(self.get_argument("id", None)) + user_id = bleach.clean(self.get_argument("id", None)) if ( not superuser @@ -1412,7 +1416,7 @@ class PanelHandler(BaseHandler): template = "panel/panel_edit_role.html" elif page == "remove_role": - role_id = nh3.clean(self.get_argument("id", None)) + role_id = bleach.clean(self.get_argument("id", None)) if ( not superuser @@ -1600,7 +1604,7 @@ class PanelHandler(BaseHandler): backup_path = Helpers.wtol_path(backup_path) else: backup_path = server_obj.backup_path - max_backups = nh3.clean(self.get_argument("max_backups", None)) + max_backups = bleach.clean(self.get_argument("max_backups", None)) server_obj = self.controller.servers.get_server_obj(server_id) @@ -1661,15 +1665,15 @@ class PanelHandler(BaseHandler): self.redirect("/panel/config_json") elif page == "edit_user": - if nh3.clean(self.get_argument("username", None)).lower() == "system": + if bleach.clean(self.get_argument("username", None)).lower() == "system": self.redirect( "/panel/error?error=Unauthorized access: " "system user is not editable" ) - user_id = nh3.clean(self.get_argument("id", None)) + user_id = bleach.clean(self.get_argument("id", None)) user = self.controller.users.get_user_by_id(user_id) - username = nh3.clean(self.get_argument("username", None).lower()) - theme = nh3.clean(self.get_argument("theme", "default")) + username = bleach.clean(self.get_argument("username", None).lower()) + theme = bleach.clean(self.get_argument("theme", "default")) if ( username != self.controller.users.get_user_by_id(user_id)["username"] and username in self.controller.users.get_all_usernames() @@ -1677,16 +1681,16 @@ class PanelHandler(BaseHandler): self.redirect( "/panel/error?error=Duplicate User: Useranme already exists." ) - password0 = nh3.clean(self.get_argument("password0", None)) - password1 = nh3.clean(self.get_argument("password1", None)) - email = nh3.clean(self.get_argument("email", "default@example.com")) + password0 = bleach.clean(self.get_argument("password0", None)) + password1 = bleach.clean(self.get_argument("password1", None)) + email = bleach.clean(self.get_argument("email", "default@example.com")) enabled = int(float(self.get_argument("enabled", "0"))) try: - hints = int(nh3.clean(self.get_argument("hints"))) + hints = int(bleach.clean(self.get_argument("hints"))) hints = True except: hints = False - lang = nh3.clean( + lang = bleach.clean( self.get_argument("language"), self.helper.get_setting("language") ) @@ -1695,7 +1699,7 @@ class PanelHandler(BaseHandler): # We don't want that. Automatically make them stay super user # since we know they are. if str(exec_user["user_id"]) != str(user_id): - superuser = int(nh3.clean(self.get_argument("superuser", "0"))) + superuser = int(bleach.clean(self.get_argument("superuser", "0"))) else: superuser = 1 else: @@ -1873,7 +1877,7 @@ class PanelHandler(BaseHandler): self.finish() elif page == "add_user": - username = nh3.clean(self.get_argument("username", None).lower()) + username = bleach.clean(self.get_argument("username", None).lower()) if username.lower() == "system": self.redirect( "/panel/error?error=Unauthorized access: " @@ -1881,18 +1885,18 @@ class PanelHandler(BaseHandler): " Please choose a different username." ) return - password0 = nh3.clean(self.get_argument("password0", None)) - password1 = nh3.clean(self.get_argument("password1", None)) - email = nh3.clean(self.get_argument("email", "default@example.com")) + password0 = bleach.clean(self.get_argument("password0", None)) + password1 = bleach.clean(self.get_argument("password1", None)) + email = bleach.clean(self.get_argument("email", "default@example.com")) enabled = int(float(self.get_argument("enabled", "0"))) - theme = nh3.clean(self.get_argument("theme"), "default") + theme = bleach.clean(self.get_argument("theme"), "default") hints = True - lang = nh3.clean( + lang = bleach.clean( self.get_argument("lang", self.helper.get_setting("language")) ) # We don't want a non-super user to be able to create a super user. if superuser: - new_superuser = int(nh3.clean(self.get_argument("superuser", "0"))) + new_superuser = int(bleach.clean(self.get_argument("superuser", "0"))) else: new_superuser = 0 @@ -1967,8 +1971,8 @@ class PanelHandler(BaseHandler): self.redirect("/panel/panel_config") elif page == "edit_role": - role_id = nh3.clean(self.get_argument("id", None)) - role_name = nh3.clean(self.get_argument("role_name", None)) + role_id = bleach.clean(self.get_argument("id", None)) + role_name = bleach.clean(self.get_argument("role_name", None)) role = self.controller.roles.get_role(role_id) @@ -2014,7 +2018,7 @@ class PanelHandler(BaseHandler): self.redirect("/panel/panel_config") elif page == "add_role": - role_name = nh3.clean(self.get_argument("role_name", None)) + role_name = bleach.clean(self.get_argument("role_name", None)) if exec_user["superuser"]: manager = self.get_argument("manager", None) if manager == "": @@ -2088,7 +2092,7 @@ class PanelHandler(BaseHandler): } if page == "remove_apikey": - key_id = nh3.clean(self.get_argument("id", None)) + key_id = bleach.clean(self.get_argument("id", None)) if not superuser: self.redirect("/panel/error?error=Unauthorized access: not superuser") diff --git a/app/classes/web/public_handler.py b/app/classes/web/public_handler.py index b7d1be9b..76c6a8be 100644 --- a/app/classes/web/public_handler.py +++ b/app/classes/web/public_handler.py @@ -1,5 +1,5 @@ import logging -import nh3 +import bleach from app.classes.shared.helpers import Helpers from app.classes.models.users import HelperUsers @@ -28,8 +28,8 @@ class PublicHandler(BaseHandler): # self.clear_cookie("user_data") def get(self, page=None): - error = nh3.clean(self.get_argument("error", "Invalid Login!")) - error_msg = nh3.clean(self.get_argument("error_msg", "")) + error = bleach.clean(self.get_argument("error", "Invalid Login!")) + error_msg = bleach.clean(self.get_argument("error_msg", "")) page_data = { "version": self.helper.get_version_string(), @@ -82,8 +82,8 @@ class PublicHandler(BaseHandler): ) def post(self, page=None): - error = nh3.clean(self.get_argument("error", "Invalid Login!")) - error_msg = nh3.clean(self.get_argument("error_msg", "")) + error = bleach.clean(self.get_argument("error", "Invalid Login!")) + error_msg = bleach.clean(self.get_argument("error_msg", "")) page_data = { "version": self.helper.get_version_string(), @@ -100,8 +100,8 @@ class PublicHandler(BaseHandler): if self.request.query: next_page = "/login?" + self.request.query - entered_username = nh3.clean(self.get_argument("username")) - entered_password = nh3.clean(self.get_argument("password")) + entered_username = bleach.clean(self.get_argument("username")) + entered_password = bleach.clean(self.get_argument("password")) # pylint: disable=no-member try: diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index 42cb8ce5..eae3ce0c 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -4,7 +4,7 @@ import os import time import tornado.web import tornado.escape -import nh3 +import bleach from app.classes.models.crafty_permissions import EnumPermissionsCrafty from app.classes.shared.helpers import Helpers @@ -195,8 +195,8 @@ class ServerHandler(BaseHandler): } if page == "command": - server_id = nh3.clean(self.get_argument("id", None)) - command = nh3.clean(self.get_argument("command", None)) + server_id = bleach.clean(self.get_argument("id", None)) + command = bleach.clean(self.get_argument("command", None)) if server_id is not None: if command == "clone_server": @@ -311,24 +311,24 @@ class ServerHandler(BaseHandler): user_roles = self.controller.roles.get_all_roles() else: user_roles = self.get_user_roles() - server = nh3.clean(self.get_argument("server", "")) - server_name = nh3.clean(self.get_argument("server_name", "")) - min_mem = nh3.clean(self.get_argument("min_memory", "")) - max_mem = nh3.clean(self.get_argument("max_memory", "")) - port = nh3.clean(self.get_argument("port", "")) + server = bleach.clean(self.get_argument("server", "")) + server_name = bleach.clean(self.get_argument("server_name", "")) + min_mem = bleach.clean(self.get_argument("min_memory", "")) + max_mem = bleach.clean(self.get_argument("max_memory", "")) + port = bleach.clean(self.get_argument("port", "")) if int(port) < 1 or int(port) > 65535: self.redirect( "/panel/error?error=Constraint Error: " "Port must be greater than 0 and less than 65535" ) return - import_type = nh3.clean(self.get_argument("create_type", "")) - import_server_path = nh3.clean(self.get_argument("server_path", "")) - import_server_jar = nh3.clean(self.get_argument("server_jar", "")) + import_type = bleach.clean(self.get_argument("create_type", "")) + import_server_path = bleach.clean(self.get_argument("server_path", "")) + import_server_jar = bleach.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] for role in user_roles: - if nh3.clean(self.get_argument(str(role), "")) == "on": + if bleach.clean(self.get_argument(str(role), "")) == "on": captured_roles.append(role) if not server_name: @@ -372,7 +372,7 @@ class ServerHandler(BaseHandler): ) elif import_type == "import_zip": # here import_server_path means the zip path - zip_path = nh3.clean(self.get_argument("root_path")) + zip_path = bleach.clean(self.get_argument("root_path")) good_path = Helpers.check_path_exists(zip_path) if not good_path: self.redirect("/panel/error?error=Temp path not found!") @@ -476,9 +476,9 @@ class ServerHandler(BaseHandler): user_roles = self.controller.roles.get_all_roles() else: user_roles = self.controller.roles.get_all_roles() - server = nh3.clean(self.get_argument("server", "")) - server_name = nh3.clean(self.get_argument("server_name", "")) - port = nh3.clean(self.get_argument("port", "")) + server = bleach.clean(self.get_argument("server", "")) + server_name = bleach.clean(self.get_argument("server_name", "")) + port = bleach.clean(self.get_argument("port", "")) if not port: port = 19132 @@ -488,13 +488,13 @@ class ServerHandler(BaseHandler): "Port must be greater than 0 and less than 65535" ) return - import_type = nh3.clean(self.get_argument("create_type", "")) - import_server_path = nh3.clean(self.get_argument("server_path", "")) - import_server_exe = nh3.clean(self.get_argument("server_jar", "")) + import_type = bleach.clean(self.get_argument("create_type", "")) + import_server_path = bleach.clean(self.get_argument("server_path", "")) + import_server_exe = bleach.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] for role in user_roles: - if nh3.clean(self.get_argument(str(role), "")) == "on": + if bleach.clean(self.get_argument(str(role), "")) == "on": captured_roles.append(role) if not server_name: @@ -536,7 +536,7 @@ class ServerHandler(BaseHandler): ) elif import_type == "import_zip": # here import_server_path means the zip path - zip_path = nh3.clean(self.get_argument("root_path")) + zip_path = bleach.clean(self.get_argument("root_path")) good_path = Helpers.check_path_exists(zip_path) if not good_path: self.redirect("/panel/error?error=Temp path not found!") diff --git a/requirements.txt b/requirements.txt index df3360a0..98e095f1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ apscheduler==3.8.1 argon2-cffi==21.3 -nh3==0.2.14 +bleach==4.1 cached_property==1.5.2 colorama==0.4 croniter==1.3.5