This repository has been archived by the owner on Aug 21, 2020. It is now read-only.
Fix several Cross-Site Scripting vulnerabilities #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
I noticed three potential Cross-Site Scripting (XSS) vulnerabilities in app/views/challenge.py and app/views/user.py.
When creating a challenge, the name of challenge is returned to the user without any sanitization. This opens a possibility for attackers to make users execute arbitrary code. For example, imagine an attacker can trick a user into accessing the url
https://svia.nl/challenge/api/create_challenge?...&name=<script>some_evil_code</script>. In this casesome_evil_codewill be executed in victim's browser, which has a huge security impact (remote code execution, cookies theft, malicious redirects, etc.)Same story with
https://svia.nl/users/export- if an attacker manages to create an account with e.g.descriptionfield set to<script>some_more_evil_code</script>, then whoever accesses the page will get thesome_more_evil_codepayload executed in their browser.My suggested fix is to escape (sanitize) all dangerous output before presenting it to the user.
I found the bug while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.
Any feedback is more than welcome at chibo@deepcode.ai.
Cheers, Victor.