Make endpoint error messages safe for round-trips

This makes sure no script tags can be included in api error messages.
cfpb · Dec 1, 2016 · b9b6360 · b9b6360
1 parent 599fbdf
commit b9b6360
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/ratechecker/ratechecker_parameters.py b/ratechecker/ratechecker_parameters.py
@@ -5,6 +5,12 @@
 from localflavor.us.us_states import STATE_CHOICES
 
 
+def scrub_error(error):
+    for char in ['<', '>', r'%3C', r'%3E']:
+        error = error.replace(char, '')
+    return error
+
+
 class ParamsSerializer(serializers.Serializer):
 
     PROPERTY_TYPE_SF = 'SF'
@@ -144,3 +150,14 @@ def validate_loan_term(self, value):
             raise serializers.ValidationError("loan_term needs to be "
                                               "15 or 30.")
         return value
+
+    @property
+    def errors(self):
+        if not hasattr(self, '_errors'):
+            msg = 'You must call `.is_valid()` before accessing `.errors`.'
+            raise AssertionError(msg)
+        for key in self._errors.keys():
+            self._errors[key] = [scrub_error(error)
+                                 for error in self._errors[key]]
+
+        return self._errors
diff --git a/ratechecker/tests/test_views_ratecheckerparameters.py b/ratechecker/tests/test_views_ratecheckerparameters.py
@@ -3,7 +3,7 @@
 from decimal import Decimal
 
 from ratechecker.models import Product
-from ratechecker.ratechecker_parameters import ParamsSerializer
+from ratechecker.ratechecker_parameters import ParamsSerializer, scrub_error
 
 
 class RateCheckerParametersTestCase(TestCase):
@@ -236,3 +236,10 @@ def test_is_alid__ltv__with_ltv(self):
         self.assertEqual(serializer.validated_data.get('min_ltv'), Decimal('90.1'))
         self.assertTrue(serializer.validated_data.get('min_ltv'), serializer.validated_data.get('max_ltv'))
         self.assertTrue(serializer.validated_data.get('ltv'), serializer.validated_data.get('max_ltv'))
+
+    def test_error_scrubber(self):
+        bad_value1 = 'CONFFQ684<SCRIPT>ALERT(1)</SCRIPT>'
+        bad_value2 = r'%3Cscript%3CEalert(1)%3C%2fscript%3E'
+        for char in ['<', '>', r'%3C', r'%3E']:
+            self.assertNotIn(char, scrub_error(bad_value1))
+            self.assertNotIn(char, scrub_error(bad_value2))