Merge branch 'develop' into CD-command-injection-fixes

cisagov · Jul 10, 2023 · 8dd6eec · 8dd6eec
2 parents eb08583 + 839e4f8
commit 8dd6eec
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 10 deletions.
diff --git a/src/pe_reports/data/db_query.py b/src/pe_reports/data/db_query.py
@@ -2,6 +2,7 @@
 
 # Standard Python Libraries
 import logging
+import re
 import sys
 
 # Third-Party Libraries
@@ -21,6 +22,16 @@
 CONN_PARAMS_DIC = config()
 
 
+def sanitize_string(string):
+    """Remove special characters from string."""
+    return re.sub(r"[^a-zA-Z0-9\s]", "", string)
+
+
+def sanitize_uid(string):
+    """Remove special characters from uids."""
+    return re.sub(r"[^a-zA-Z0-9\-\s]", "", string)
+
+
 def show_psycopg2_exception(err):
     """Handle errors for PostgreSQL issues."""
     err_type, err_obj, traceback = sys.exc_info()
@@ -86,7 +97,11 @@ def query_creds_view(org_uid, start_date, end_date):
         df = pd.read_sql(
             sql,
             conn,
-            params={"org_uid": org_uid, "start_date": start_date, "end_date": end_date},
+            params={
+                "org_uid": sanitize_uid(org_uid),
+                "start_date": start_date,
+                "end_date": end_date,
+            },
         )
         return df
     except (Exception, psycopg2.DatabaseError) as error:
@@ -106,7 +121,11 @@ def query_credsbyday_view(org_uid, start_date, end_date):
         df = pd.read_sql(
             sql,
             conn,
-            params={"org_uid": org_uid, "start_date": start_date, "end_date": end_date},
+            params={
+                "org_uid": sanitize_uid(org_uid),
+                "start_date": start_date,
+                "end_date": end_date,
+            },
         )
         return df
     except (Exception, psycopg2.DatabaseError) as error:
@@ -127,7 +146,11 @@ def query_breachdetails_view(org_uid, start_date, end_date):
         df = pd.read_sql(
             sql,
             conn,
-            params={"org_uid": org_uid, "start_date": start_date, "end_date": end_date},
+            params={
+                "org_uid": sanitize_uid(org_uid),
+                "start_date": start_date,
+                "end_date": end_date,
+            },
         )
         return df
     except (Exception, psycopg2.DatabaseError) as error:
@@ -148,7 +171,7 @@ def query_domMasq(org_uid, start_date, end_date):
             sql,
             conn,
             params={
-                "org_uid": org_uid,
+                "org_uid": sanitize_uid(org_uid),
                 "start_date": start_date,
                 "end_date": end_date,
             },
@@ -181,7 +204,7 @@ def query_shodan(org_uid, start_date, end_date, table):
             conn,
             params={
                 "table": AsIs(table),
-                "org_uid": org_uid,
+                "org_uid": sanitize_uid(org_uid),
                 "start_date": start_date,
                 "end_date": end_date,
             },
@@ -201,12 +224,13 @@ def query_darkweb(org_uid, start_date, end_date, table):
         sql = """SELECT * FROM %(table)s
         WHERE organizations_uid = %(org_uid)s
         AND date BETWEEN %(start_date)s AND %(end_date)s"""
+
         df = pd.read_sql(
             sql,
             conn,
             params={
-                "table": AsIs(table),
-                "org_uid": org_uid,
+                "table": sanitize_string(table),
+                "org_uid": sanitize_uid(org_uid),
                 "start_date": start_date,
                 "end_date": end_date,
             },
@@ -247,7 +271,11 @@ def query_cyberSix_creds(org_uid, start_date, end_date):
         df = pd.read_sql(
             sql,
             conn,
-            params={"org_uid": org_uid, "start": start_date, "end": end_date},
+            params={
+                "org_uid": sanitize_uid(org_uid),
+                "start": start_date,
+                "end": end_date,
+            },
         )
         df["breach_date_str"] = pd.to_datetime(df["breach_date"]).dt.strftime(
             "%m/%d/%Y"

diff --git a/src/pe_reports/pages.py b/src/pe_reports/pages.py
@@ -9,6 +9,7 @@
 import chevron
 
 from .charts import Charts
+from .data.db_query import sanitize_uid
 
 # Import Classes
 from .metrics import Credentials, Cyber_Six, Domains_Masqs, Malware_Vulns
@@ -67,7 +68,9 @@ def buildAppendixList(df):
 
 def credential(chevron_dict, trending_start_date, start_date, end_date, org_uid):
     """Build exposed credential page."""
-    Credential = Credentials(trending_start_date, start_date, end_date, org_uid)
+    Credential = Credentials(
+        trending_start_date, start_date, end_date, sanitize_uid(org_uid)
+    )
     # Build exposed credential stacked bar chart
     width = 24
     height = 9.5
@@ -101,7 +104,7 @@ def credential(chevron_dict, trending_start_date, start_date, end_date, org_uid)
 
 def masquerading(chevron_dict, start_date, end_date, org_uid):
     """Build masquerading page."""
-    Domain_Masq = Domains_Masqs(start_date, end_date, org_uid)
+    Domain_Masq = Domains_Masqs(start_date, end_date, sanitize_uid(org_uid))
     chevron_dict.update(
         {
             "domain_table": buildTable(Domain_Masq.summary(), ["table"], []),

diff --git a/src/pe_source/data/pe_db/db_query_source.py b/src/pe_source/data/pe_db/db_query_source.py
@@ -2,6 +2,7 @@
 
 # Standard Python Libraries
 from datetime import datetime
+import re
 import sys
 
 # Third-Party Libraries
@@ -13,6 +14,7 @@
 # cisagov Libraries
 from pe_reports import app
 from pe_reports.data.config import config
+from pe_reports.data.db_query import sanitize_uid
 
 # Setup logging to central file
 LOGGER = app.config["LOGGER"]
@@ -43,6 +45,13 @@ def close(conn):
     conn.close()
 
 
+def sanitize_text(string):
+    """Remove special characters from string."""
+    pattern = re.compile(r"[^\w\s]+")
+    sanitized_text = pattern.sub("", string())
+    return sanitized_text
+
+
 def get_orgs():
     """Query organizations that receive reports and demo organizations."""
     conn = connect()
@@ -52,6 +61,12 @@ def get_orgs():
         cur.execute(sql)
         pe_orgs = cur.fetchall()
         keys = ("org_uid", "org_name", "cyhy_db_name")
+
+        for value in pe_orgs:
+            value[0] = sanitize_uid(value[0])  # org_uid
+            value[1] = value[1]
+            value[2] = sanitize_text(value[2])  # cyhy_db_name
+
         pe_orgs = [dict(zip(keys, values)) for values in pe_orgs]
         cur.close()
         return pe_orgs
@@ -83,6 +98,11 @@ def get_data_source_uid(source):
     sql = """SELECT * FROM data_source WHERE name = '{}'"""
     cur.execute(sql.format(source))
     source = cur.fetchone()[0]
+
+    # Sanitize the data returned by fetchone()[0],
+    # returned data is data_source_uid (a uuid string)
+    source = sanitize_uid(source)
+
     cur.close()
     cur = conn.cursor()
     # Update last_run in data_source table
@@ -252,6 +272,9 @@ def get_breaches():
         cur.execute(sql)
         pe_orgs = cur.fetchall()
         cur.close()
+        for breach in pe_orgs:
+            breach[0] = sanitize_text([0])
+            breach[1] = sanitize_uid(breach[1])
         return pe_orgs
     except (Exception, psycopg2.DatabaseError) as error:
         LOGGER.error("There was a problem with your database query %s", error)
@@ -443,6 +466,9 @@ def get_intelx_breaches(source_uid):
         sql = """SELECT breach_name, credential_breaches_uid FROM credential_breaches where data_source_uid = %s"""
         cur.execute(sql, [source_uid])
         all_breaches = cur.fetchall()
+        for breach in all_breaches:
+            breach[0] = sanitize_text([0])
+            breach[1] = sanitize_uid(breach[1])
         cur.close()
         return all_breaches
     except (Exception, psycopg2.DatabaseError) as error: