admin: xss vulnerability fix

* Fixes a XSS vulnerability due to improperly escaped JSON output of the record.
inveniosoftware · Jul 15, 2019 · 4b3f74e · 4b3f74e
1 parent 8635cf6
commit 4b3f74e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/invenio_records/admin.py b/invenio_records/admin.py
@@ -39,8 +39,8 @@ class RecordMetadataModelView(ModelView):
     )
     column_formatters = dict(
         version_id=lambda v, c, m, p: m.version_id-1,
-        json=lambda v, c, m, p: Markup("<pre>{0}</pre>".format(
-            json.dumps(m.json, indent=2, sort_keys=True)))
+        json=lambda v, c, m, p: Markup("<pre>{0}</pre>").format(
+            json.dumps(m.json, indent=2, sort_keys=True))
     )
     column_filters = ('created', 'updated', )
     column_default_sort = ('updated', True)

diff --git a/tests/test_admin.py b/tests/test_admin.py
@@ -45,7 +45,7 @@ def test_admin(app, db):
 
     # Create a test record.
     rec_uuid = str(uuid.uuid4())
-    Record.create({'title': 'test'}, id_=rec_uuid)
+    Record.create({'title': 'test<script>alert(1);</script>'}, id_=rec_uuid)
     db.session.commit()
 
     with app.test_request_context():
@@ -59,6 +59,14 @@ def test_admin(app, db):
         res = client.get(index_view_url)
         assert res.status_code == 200
 
+        # Check for XSS in JSON output
+        res = client.get(detail_view_url)
+        assert res.status_code == 200
+        data = res.get_data(as_text=True)
+        assert '<pre>{' in data
+        assert '}</pre>' in data
+        assert '<script>alert(1);</script>' not in data
+
         # Fake a problem with SQLAlchemy.
         with patch('invenio_records.models.RecordMetadata') as db_mock:
             db_mock.side_effect = SQLAlchemyError()