String sanitation for forms and serializers

[oliverroick]

Proposed changes in this pull request

• Fixes Input fields should be sanitized to exclude code #1157: Reject all strings that either contain HTML or start with +, -, + or @ to prevent injection of potentially malicious macros.
• Fixes Critical: Emojis should not be valid Org or Project names #1224: Reject all strings that contain emojis.

Detailed discussion of added features

• Adds function sanitize_string to core.validators which is used throughout all forms and serializers to verify if a string will be accepted or not. The function uses the library beautifulsoup to identify HTML code, and two regular expressions to identify emojis and starting +, -, + or @. The function returns False if the provided string matches any of the regular expressions or contains HTML.
• Adds sanitize.js to cadasta/core/static/js, which introduces a new Parsley validator to sanitise fields on the client-side.
• Adds the template filter set_parsley_sanitize to core.templatetags.filters, which adds the attribute data-parsley-sanitize to all form fields where the filter is applied. The additional attribute indicates to Parsley that this field should be validated using the validator added through sanitize.js.
• Adds a new form mixing SanitizeFieldsForm to core.form_mixins that checks the values or all CharField instances using core.validators.santize_string. The mixin is added to all forms where we allow input of strings.
• Adds a new serializer mixin SanitizeFieldSerializer to core.serializers that checks the values of all CharField instances and all items in all JSONField instances using core.validators.santize_string. The mixin is added to all serializers where we allow input of strings.
• Adds a new serializer mixin JSONAttrsSerializer to core.serializers that validates contents of the field attributes using jsonattrs. jsonattrs validation wasn't implemented as of yet which allowed the injection of invalid values to be added via the API, which caused the platform to break in some instances.

When should this PR be merged

This is a critical fix, so it should be merged as soon as possible.

Risks

The PR itself is low risk; we should test the changes thoroughly on staging because it affects most parts of the platform.

Follow-up actions

• @oliverroick to document form and serializer mixins in the dev wiki. (Draft done; documentation for forms and serializers)

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly? It should have the migration label if a new migration is added.
• Is the risk level assessment sufficient? The risks section should contain all risks that might be introduced with the PR and which actions we need to take to mitigate these risks. Possible risks are database migrations, new libraries that need to be installed or changes to deployment scripts.

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes must be documented in the Cadasta Platform Documentation.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented in the API docs.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

[seav]

The message here indicates that HTML tags are not allowed, but the validator does not contain any logic to check for HTML tags.

[seav]

@oliverroick: Is this feedback invalid?

[oliverroick]

It's not. I totally missed replying to this, thanks for reminding me again.

I've added a check for HTML to sanitize.js as well.

[linzjax]

I know there was some conversation about this in the issue, but did we decide emoji's in the project name was ok?

I also got a "Please provide a name" error when I added an emoji to the contact fields, rather than an error explaining that "there's no way my name does not contain an emoji so stop messing around".

[oliverroick]

@linzjax Crap it looks like the regex I wrote doesn't cover unicorns, I'll look into that tomorrow. Also need to look at the names thing.

[linzjax]

I know apple added a ridiculous new set of emojis and fancied up old ones that aren't included in the standard emoji set.

Also,

Crap it looks like the regex I wrote doesn't cover unicorns

is a hilarious sentence.

[oliverroick]

@linzjax I added new regex definitions that should also cover unicorns.

[linzjax]

Don't mind me just coming through trying to break things 🙅 :

Two things weird about this:

1. I can search for emojis and it shows up in the url
2. It returned a document (which I didn't know was possible on my local machine) for a document that I tried to name "👩‍🎓" and it wouldn't let me.

[linzjax]

I can also import emojis and super useless html.

[oliverroick]

@linzjax Sanitizing imports now too

[linzjax]

wayward print sighting

[linzjax]

Ok besides the print statement, one more question: have you run this against ODK submissions? My Test phone is dead and apparently I didn't bring an android charger with me, but I don't see anything is xforms/mixins/model_helper.py

[oliverroick]

@linzjax Of course GeoODK submissions were not sanitized, but they should be now.

[linzjax]

Al➡️, that covers everything I can 🤔 of, which means I'm done 🐝ing a pain in your 🐴 now.

[wonderchook]

@seav can you finish reviewing this please?

[seav]

Did some tests and this looks good to me.

[amplifi]

Organization form validates tag inputs:

[amplifi]

User registration form validates emoji and tags, including saving for full name (same also allowed on editing user profile):

[amplifi]

When adding a new project or editing project details, phone number field doesn't display error when invalid string is submitted. Just refreshes form page without visual cues or error message:

[amplifi]

Add location form, edit location relationship form, add resource form validate with tags:

[seav]

This JavaScript code apparently does not properly check for <script> and <style> tags. We should also do the conditional checks below. If any of them is true, then the string is not sanitized.

• doc.styleSheets.length > 0
• doc.scripts.length > 0

[amplifi]

On submission, Edit resource form shows green validation for fields containing tags (Name & Description), then after form reloads it shows the red error cues.

[bjohare]

We should probably be sanitizing questionnaires as well..

[amplifi]

We should consolidate any additional fixes/sanitization into a new GitHub Issue (or Issues). As long as there are no breaking changes, and I haven't found any yet, this PR has to merge for the upcoming release. Better to have most inputs validated than none.

[oliverroick]

I added client-side code to catch script and style elements. Also added code to sanitize user registration and profile updates.

@bjohare Questionnaires should be sanitized, could you send me the form you used?

[bjohare]

@oliverroick I just used the standard questionnaire with an emoji added to the party_type label

[linzjax]

When signing in, I can submit fields with emojis. I can't sign in, but they are submitted.

---

If I go through the "password reset" process, I can reset my password to contain an emoji.

---

Similar to the sign in form, the "add member" form submits with emojis.

---

Organization and Project URL fields accept emojis and script tags

---

I can't add resource with a filename that contains an emoji, but I also don't get an error

[dpalomino]

Some feedback, uploading questionnaires when creating projects:

1. Not sure if this is an issue, but I can upload a questionnaire containing an emoji, although at the end of the project creation process (step 3, user permissions), project is rejected. Tried including emojis in labels, names, types, choices, settings

2. You can include an emoji in a column name of a questionnaire (I tested with "tittle" column in settings tab). Interestingly:

   • If included in the "tittle" column of the settings tab, it is accepted. Example here
   • If included in the "name" column of the survey tab, it is not accepted (but you are able to upload)

3. I tried to change the tab name to include an emoji, and was rejected but not because we were filtering emojis, but because there were missing information:

For scripts:

1. Same behaviour. You can generally upload a questionnaire containing script chars (I tried with <script>), although at the end of the project creation process (step 3, user permissions), project is rejected. Tried including script code in labels, names, types, choices, settings

2. Interestingly, including script in the "hint" column (hint<script>asdf</script>)is accepted and you can actually create a project, see here.

3. Same behaviour for title column in settings tab, was able to include "title<script>ha!</script>" and project was created (check here)

[dpalomino]

Regarding search:

1. I can include emojis in the search:
   

2. And the same for the script code:
   

[amplifi]

Search is fine; input isn't stored and Elasticsearch has its own query validation. Same for login.

The main concerns are strings that are stored in the database.

[dpalomino]

I've created individual tickets #1558, #1559, and #1560 for tracking these issues.