Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent Reflected XSS
The API takes user input and validates them before making DNS calls but
if invalid, a response containing the user input is reflected back to
the user as it is without any sanitization. This makes OpenResolve
vulnerable to a reflected XSS attack.
  • Loading branch information
Philip I. Thomas committed Aug 3, 2015
1 parent 9eba6ba commit c680170
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions resolverapi/endpoints.py
Expand Up @@ -50,9 +50,9 @@ def get(self, rdtype, domain):

def valid_args(self, rdtype, domain):
if not is_valid_rdtype(rdtype):
abort(400, message="%s type is not supported" % rdtype)
abort(400, message="The provided record type is not supported")
if not is_valid_hostname(domain):
abort(400, message="%s is not a valid domain name" % domain)
abort(400, message="The provided domain name is invalid")


class ReverseLookup(Resource):
Expand All @@ -79,7 +79,7 @@ def get(self, ip):
return {'message': 'All nameservers timed out.'}, 503
continue
except NXDOMAIN:
return {'message': 'No nameserver found for %s' % ip}, 404
return {'message': 'No nameserver found for the provided IP'}, 404
except Exception as e:
current_app.logger.error(e)
return {'message': 'An unexpected error occured.'}, 500
Expand All @@ -93,4 +93,4 @@ def get(self, ip):

def valid_args(self, ip):
if not is_valid_ip(ip):
abort(400, message="%s is not a valid ip address" % ip)
abort(400, message="The provided ip address is invalid")

0 comments on commit c680170

Please sign in to comment.