🧼 sanitizing inputs

jamf · Feb 12, 2024 · 7b917cc · 7b917cc
1 parent eeb0455
commit 7b917cc
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 5 deletions.
diff --git a/app.py b/app.py
@@ -1,6 +1,6 @@
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
-# Copyright (c) 2023 Jamf.  All rights reserved.
+# Copyright (c) 2024 Jamf.  All rights reserved.
 #
 #       Redistribution and use in source and binary forms, with or without
 #       modification, are permitted provided that the following conditions are met:
@@ -216,13 +216,19 @@ def success(success_msg=""):
         return redirect(
             url_for('home_view.logout', error_title="Session Timed Out", error_message="Please sign in again"))
     success_msg = request.args.get('success_msg')
+    if success_msg:
+        success_msg = escape(success_msg)
     return render_template('success.html', success_msg=success_msg, login="true", username=str(escape(session['username'])))
 
 
 @app.route('/error', methods=['GET', 'POST'])
 def error():
     error_title = request.args.get('error')
     error_message = request.args.get('error_message')
+    if error_title:
+        error_title = escape(error_title)
+    if error_message:
+        error_message = escape(error_message)
     if 'username' not in session:
         return redirect(url_for('home_view.logout'))
     logthis.info(

diff --git a/views/custom_webhook.py b/views/custom_webhook.py
@@ -1,6 +1,6 @@
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
-# Copyright (c) 2023 Jamf.  All rights reserved.
+# Copyright (c) 2024 Jamf.  All rights reserved.
 #
 #       Redistribution and use in source and binary forms, with or without
 #       modification, are permitted provided that the following conditions are met:
@@ -74,6 +74,8 @@ def edit_webhook():
         return redirect(
             url_for('home_view.logout', error_title="Session Timed Out", error_message="Please sign in again"))
     name = request.args.get('name')
+    if name:
+        name = escape(name)
     logthis.info(f"Checking for custom webhook '{name}'")
     with open(webhooks_file) as fin:
         webhooks_json = json.load(fin)

diff --git a/views/jamf_webhook.py b/views/jamf_webhook.py
@@ -1,6 +1,6 @@
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
-# Copyright (c) 2023 Jamf.  All rights reserved.
+# Copyright (c) 2024 Jamf.  All rights reserved.
 #
 #       Redistribution and use in source and binary forms, with or without
 #       modification, are permitted provided that the following conditions are met:
@@ -298,6 +298,8 @@ def jamf_pro_edit():
         return redirect(
             url_for('home_view.logout', error_title="Session Timed Out", error_message="Please sign in again"))
     name = request.args.get('name')
+    if name:
+        name = escape(name)
     with open(webhooks_file) as fin:
         webhooks_json = json.load(fin)
     check_for_name = [True for each_webhook in webhooks_json if each_webhook['name'] == name]

diff --git a/views/resource_view.py b/views/resource_view.py
@@ -1,6 +1,6 @@
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
-# Copyright (c) 2022 Jamf.  All rights reserved.
+# Copyright (c) 2024 Jamf.  All rights reserved.
 #
 #       Redistribution and use in source and binary forms, with or without
 #       modification, are permitted provided that the following conditions are met:
@@ -55,7 +55,11 @@ def files():
         return redirect(
             url_for('home_view.logout', error_title="Session Timed Out", error_message="Please sign in again"))
     target_file = request.args.get('target_file')
+    if target_file:
+        target_file = secure_filename(target_file)
     button_choice = request.args.get('button_choice')
+    if button_choice:
+        button_choice = escape(button_choice)
     if target_file:
         target_file_dir = os.path.dirname(os.path.abspath(os.path.join(files_dir, target_file)))
         target_file_path = os.path.abspath(os.path.join(files_dir, target_file))
@@ -96,6 +100,8 @@ def files():
 @blueprint.route('/resources/delete.html', methods=['GET', 'POST'])
 def delete_file():
     target_file = request.args.get('target_file')
+    if target_file:
+        target_file = secure_filename(target_file)
     if 'username' not in session:
         return redirect(
             url_for('home_view.logout', error_title="Session Timed Out", error_message="Please sign in again"))

diff --git a/views/webhook_view.py b/views/webhook_view.py
@@ -1,6 +1,6 @@
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
-# Copyright (c) 2022 Jamf.  All rights reserved.
+# Copyright (c) 2024 Jamf.  All rights reserved.
 #
 #       Redistribution and use in source and binary forms, with or without
 #       modification, are permitted provided that the following conditions are met:
@@ -29,6 +29,7 @@
 from collections import defaultdict
 from flask import (Blueprint, redirect, request, session, url_for)
 import json
+from markupsafe import escape
 import os
 import requests
 import time
@@ -57,6 +58,7 @@ def delete_webhook():
     target_webhook = request.args.get('target_webhook')
     if not target_webhook:
         return redirect(url_for('custom_webhook.custom_webhook'))
+    target_webhook = escape(target_webhook)
     with open(webhooks_file) as fin:
         webhook_json = json.load(fin)
     tag = [each_webhook['tag'] for each_webhook in webhook_json if each_webhook['name'] == target_webhook]