Merge pull request #449 from kevin-bates/escape-user-input

Escape user input in handlers flagged during code scans
jupyter-server · Mar 18, 2021 · d24f9f6 · d24f9f6
2 parents d690965 + 151931b
commit d24f9f6
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/examples/simple/simple_ext1/handlers.py b/examples/simple/simple_ext1/handlers.py
@@ -1,5 +1,6 @@
 from jupyter_server.base.handlers import JupyterHandler
 from jupyter_server.extension.handler import ExtensionHandlerMixin, ExtensionHandlerJinjaMixin
+from jupyter_server.utils import url_escape
 
 class DefaultHandler(ExtensionHandlerMixin, JupyterHandler):
     def get(self):
@@ -19,8 +20,8 @@ def get(self, matched_part=None, *args, **kwargs):
         var1 = self.get_argument('var1', default=None)
         components = [x for x in self.request.path.split("/") if x]
         self.write('<h1>Hello Simple App 1 from Handler.</h1>')
-        self.write('<p>matched_part: {}</p>'.format(matched_part))
-        self.write('<p>var1: {}</p>'.format(var1))
+        self.write('<p>matched_part: {}</p>'.format(url_escape(matched_part)))
+        self.write('<p>var1: {}</p>'.format(url_escape(var1)))
         self.write('<p>components: {}</p>'.format(components))
 
 class BaseTemplateHandler(ExtensionHandlerJinjaMixin, ExtensionHandlerMixin, JupyterHandler): pass

diff --git a/examples/simple/simple_ext2/handlers.py b/examples/simple/simple_ext2/handlers.py
@@ -1,13 +1,14 @@
 from jupyter_server.base.handlers import JupyterHandler
 from jupyter_server.extension.handler import ExtensionHandlerMixin, ExtensionHandlerJinjaMixin
+from jupyter_server.utils import url_escape
 
 class ParameterHandler(ExtensionHandlerMixin, JupyterHandler):
     def get(self, matched_part=None, *args, **kwargs):
         var1 = self.get_argument('var1', default=None)
         components = [x for x in self.request.path.split("/") if x]
         self.write('<h1>Hello Simple App 2 from Handler.</h1>')
-        self.write('<p>matched_part: {}</p>'.format(matched_part))
-        self.write('<p>var1: {}</p>'.format(var1))
+        self.write('<p>matched_part: {}</p>'.format(url_escape(matched_part)))
+        self.write('<p>var1: {}</p>'.format(url_escape(var1)))
         self.write('<p>components: {}</p>'.format(components))
 
 class BaseTemplateHandler(ExtensionHandlerJinjaMixin, ExtensionHandlerMixin, JupyterHandler): pass

diff --git a/jupyter_server/services/contents/handlers.py b/jupyter_server/services/contents/handlers.py
@@ -282,7 +282,7 @@ def get(self, path):
         self.redirect(url_path_join(
             self.base_url,
             'api/contents',
-            path
+            url_escape(path)
         ))
 
     put = patch = post = delete = get