From c0f000b1d1ce03733460805dbbedde445fe2c762 Mon Sep 17 00:00:00 2001 From: dgtlmoon Date: Thu, 2 May 2024 11:46:31 +0200 Subject: [PATCH] Merge pull request from GHSA-pwgc-w4x9-gw67 * Auto-escape was not enabled GHSA-pwgc-w4x9-gw67 * Auto-escape was not enabled because the filenames were not something jinja2 enables it for. --- .../blueprint/tags/templates/edit-tag.html | 4 +-- .../tags/templates/groups-overview.html | 2 +- changedetectionio/templates/IMPORTANT.md | 6 +++++ ...ommon_fields.jinja => _common_fields.html} | 2 +- .../{_helpers.jinja => _helpers.html} | 0 changedetectionio/templates/diff.html | 2 +- changedetectionio/templates/edit.html | 4 +-- changedetectionio/templates/import.html | 2 +- changedetectionio/templates/settings.html | 4 +-- .../templates/watch-overview.html | 2 +- changedetectionio/tests/test_security.py | 27 +++++++++++++++++-- 11 files changed, 42 insertions(+), 13 deletions(-) create mode 100644 changedetectionio/templates/IMPORTANT.md rename changedetectionio/templates/{_common_fields.jinja => _common_fields.html} (99%) rename changedetectionio/templates/{_helpers.jinja => _helpers.html} (100%) diff --git a/changedetectionio/blueprint/tags/templates/edit-tag.html b/changedetectionio/blueprint/tags/templates/edit-tag.html index 7c3bf42b..1d297c81 100644 --- a/changedetectionio/blueprint/tags/templates/edit-tag.html +++ b/changedetectionio/blueprint/tags/templates/edit-tag.html @@ -1,7 +1,7 @@ {% extends 'base.html' %} {% block content %} -{% from '_helpers.jinja' import render_field, render_checkbox_field, render_button %} -{% from '_common_fields.jinja' import render_common_settings_form %} +{% from '_helpers.html' import render_field, render_checkbox_field, render_button %} +{% from '_common_fields.html' import render_common_settings_form %} diff --git a/changedetectionio/blueprint/tags/templates/groups-overview.html b/changedetectionio/blueprint/tags/templates/groups-overview.html index 23eca0a6..30ddfe18 100644 --- a/changedetectionio/blueprint/tags/templates/groups-overview.html +++ b/changedetectionio/blueprint/tags/templates/groups-overview.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} {% block content %} -{% from '_helpers.jinja' import render_simple_field, render_field %} +{% from '_helpers.html' import render_simple_field, render_field %}
diff --git a/changedetectionio/templates/IMPORTANT.md b/changedetectionio/templates/IMPORTANT.md new file mode 100644 index 00000000..4b769264 --- /dev/null +++ b/changedetectionio/templates/IMPORTANT.md @@ -0,0 +1,6 @@ +# Important notes about templates + +Template names should always end in ".html", ".htm", ".xml", ".xhtml", ".svg", even the `import`'ed templates. + +Jinja2's `def select_jinja_autoescape(self, filename: str) -> bool:` will check the filename extension and enable autoescaping + diff --git a/changedetectionio/templates/_common_fields.jinja b/changedetectionio/templates/_common_fields.html similarity index 99% rename from changedetectionio/templates/_common_fields.jinja rename to changedetectionio/templates/_common_fields.html index 8b44ebbd..932f3fb7 100644 --- a/changedetectionio/templates/_common_fields.jinja +++ b/changedetectionio/templates/_common_fields.html @@ -1,5 +1,5 @@ -{% from '_helpers.jinja' import render_field %} +{% from '_helpers.html' import render_field %} {% macro render_common_settings_form(form, emailprefix, settings_application) %}
diff --git a/changedetectionio/templates/_helpers.jinja b/changedetectionio/templates/_helpers.html similarity index 100% rename from changedetectionio/templates/_helpers.jinja rename to changedetectionio/templates/_helpers.html diff --git a/changedetectionio/templates/diff.html b/changedetectionio/templates/diff.html index 0197bfc9..c82a559e 100644 --- a/changedetectionio/templates/diff.html +++ b/changedetectionio/templates/diff.html @@ -1,5 +1,5 @@ {% extends 'base.html' %} -{% from '_helpers.jinja' import render_field, render_checkbox_field, render_button %} +{% from '_helpers.html' import render_field, render_checkbox_field, render_button %} {% block content %}
diff --git a/changedetectionio/templates/settings.html b/changedetectionio/templates/settings.html index 16030a2f..78387a48 100644 --- a/changedetectionio/templates/settings.html +++ b/changedetectionio/templates/settings.html @@ -1,8 +1,8 @@ {% extends 'base.html' %} {% block content %} -{% from '_helpers.jinja' import render_field, render_checkbox_field, render_button %} -{% from '_common_fields.jinja' import render_common_settings_form %} +{% from '_helpers.html' import render_field, render_checkbox_field, render_button %} +{% from '_common_fields.html' import render_common_settings_form %} diff --git a/changedetectionio/tests/test_security.py b/changedetectionio/tests/test_security.py index 406a5401..c56c84492 100644 --- a/changedetectionio/tests/test_security.py +++ b/changedetectionio/tests/test_security.py @@ -2,9 +2,11 @@ from flask import url_for from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks import time +def test_setup(client, live_server): + live_server_setup(live_server) def test_bad_access(client, live_server): - live_server_setup(live_server) + #live_server_setup(live_server) res = client.post( url_for("import_page"), data={"urls": 'https://localhost'}, @@ -63,4 +65,25 @@ def test_bad_access(client, live_server): wait_for_all_checks(client) res = client.get(url_for("index")) - assert b'file:// type access is denied for security reasons.' in res.data \ No newline at end of file + assert b'file:// type access is denied for security reasons.' in res.data + +def test_xss(client, live_server): + #live_server_setup(live_server) + from changedetectionio.notification import ( + default_notification_format + ) + # the template helpers were named .jinja which meant they were not having jinja2 autoescape enabled. + res = client.post( + url_for("settings_page"), + data={"application-notification_urls": '">', + "application-notification_title": '">', + "application-notification_body": '">', + "application-notification_format": default_notification_format, + "requests-time_between_check-minutes": 180, + 'application-fetch_backend': "html_requests"}, + follow_redirects=True + ) + + assert b"