Sanitize server response to UI code, using cgi.escape

Jinja is already doing most of sanitization, but since % raw syntax is used at few places, this sanitization still helps with preventing XSS attack. `
SpriteLink · Mar 29, 2017 · 412a191 · 412a191
1 parent 3c2f69f
commit 412a191
Showing 1 changed file with 45 additions and 21 deletions.
diff --git a/nipap-www/nipapwww/controllers/xhr.py b/nipap-www/nipapwww/controllers/xhr.py
@@ -13,6 +13,31 @@
 
 log = logging.getLogger(__name__)
 
+import cgi
+
+def html_sanitize(value):
+    if isinstance(value, dict):
+        value = {html_sanitize(k):html_sanitize(v) for k, v in value.iteritems()}
+    elif isinstance(value, list):
+        value = [html_sanitize(v) for v in value]
+    elif isinstance(value, tuple):
+        value = tuple(html_sanitize(v) for v in value)
+    elif isinstance(value, basestring):
+        value = cgi.escape(value, quote=True)
+    return value
+
+def html_sanitize_json(value):
+    '''
+        Read object, escape all dangerous values and return as json
+    '''
+    #First generate json, using nipap encoding library
+    # We can't sanitize passed value since html_sanitize works on primitive values
+    # while NipapJSONEncoder knows how to decode complex object
+    value_as_json = json.dumps(value, cls=NipapJSONEncoder)
+    # Read back to dictionary, and html sanitize
+    sanitized_value = html_sanitize(json.loads(value_as_json))
+
+    return json.dumps(sanitized_value)
 
 
 def validate_string(req, key):
@@ -85,7 +110,7 @@ def list_vrf(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(vrfs, cls=NipapJSONEncoder)
+        return html_sanitize_json(vrfs)
 
 
 
@@ -129,7 +154,7 @@ def smart_search_vrf(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(result, cls=NipapJSONEncoder)
+        return html_sanitize_json(result)
 
 
 
@@ -154,7 +179,7 @@ def add_vrf(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(v, cls=NipapJSONEncoder)
+        return html_sanitize_json(v)
 
 
 
@@ -183,7 +208,7 @@ def edit_vrf(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(v, cls=NipapJSONEncoder)
+        return html_sanitize_json(v)
 
 
 
@@ -198,7 +223,7 @@ def remove_vrf(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(vrf, cls=NipapJSONEncoder)
+        return html_sanitize_json(vrf)
 
 
 
@@ -214,7 +239,7 @@ def list_pool(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(pools, cls=NipapJSONEncoder)
+        return html_sanitize_json(pools)
 
 
 
@@ -249,7 +274,7 @@ def smart_search_pool(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(result, cls=NipapJSONEncoder)
+        return html_sanitize_json(result)
 
 
 
@@ -280,7 +305,7 @@ def add_pool(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(p, cls=NipapJSONEncoder)
+        return html_sanitize_json(p)
 
 
 
@@ -311,7 +336,7 @@ def edit_pool(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(p, cls=NipapJSONEncoder)
+        return html_sanitize_json(p)
 
 
 
@@ -326,7 +351,7 @@ def remove_pool(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(pool, cls=NipapJSONEncoder)
+        return html_sanitize_json(pool)
 
 
 
@@ -342,7 +367,7 @@ def list_prefix(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(prefixes, cls=NipapJSONEncoder)
+        return html_sanitize_json(prefixes)
 
 
 
@@ -407,7 +432,7 @@ def search_prefix(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(result, cls=NipapJSONEncoder)
+        return html_sanitize_json(result)
 
 
 
@@ -515,7 +540,7 @@ def smart_search_prefix(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(result, cls=NipapJSONEncoder)
+        return html_sanitize_json(result)
 
 
 
@@ -622,8 +647,7 @@ def add_prefix(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(p, cls=NipapJSONEncoder)
-
+        return html_sanitize_json(p)
 
 
     def edit_prefix(self, id):
@@ -693,7 +717,7 @@ def edit_prefix(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(p, cls=NipapJSONEncoder)
+        return html_sanitize_json(p)
 
 
 
@@ -708,7 +732,7 @@ def remove_prefix(self, id):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(p, cls=NipapJSONEncoder)
+        return html_sanitize_json(p)
 
 
 
@@ -730,7 +754,7 @@ def add_current_vrf(self):
                     'name': vrf.name, 'description': vrf.description }
             session.save()
 
-        return json.dumps(session.get('current_vrfs', {}))
+        return html_sanitize_json(session.get('current_vrfs', {}))
 
 
     def del_current_vrf(self):
@@ -743,7 +767,7 @@ def del_current_vrf(self):
 
             session.save()
 
-        return json.dumps(session.get('current_vrfs', {}))
+        return html_sanitize_json(session.get('current_vrfs', {}))
 
 
     def get_current_vrfs(self):
@@ -783,7 +807,7 @@ def get_current_vrfs(self):
 
             session.save()
 
-        return json.dumps(session.get('current_vrfs', {}))
+        return html_sanitize_json(session.get('current_vrfs', {}))
 
 
     def list_tags(self):
@@ -795,7 +819,7 @@ def list_tags(self):
         except NipapError, e:
             return json.dumps({'error': 1, 'message': e.args, 'type': type(e).__name__})
 
-        return json.dumps(tags, cls=NipapJSONEncoder)
+        return html_sanitize_json(tags)