diff options
| -rw-r--r-- | Post/parser.py | 26 | ||||
| -rw-r--r-- | requirements.txt | 1 |
2 files changed, 10 insertions, 17 deletions
diff --git a/Post/parser.py b/Post/parser.py index f411e02..536e872 100644 --- a/Post/parser.py +++ b/Post/parser.py @@ -9,6 +9,7 @@ # Licensed under the MIT license, see COPYING.MIT for details import json, re +import bleach from Post.models import Build, BuildFailure, ErrorType from django.conf import settings from django.utils import timezone @@ -19,21 +20,6 @@ class Parser: def __init__(self, data): self.data = data.decode('utf-8') - # returns true if the values contain '<' char - # Ignore the failures field (which is an array anyway) - # Ignore any non-str fields too [YOCTO #14208] - def contains_tags (self, data): - for key,val in data.items(): - if key == 'failures': - continue - - if not isinstance(val, str): - continue - - if '<' in val: - return True - return False - def parse(self, request): build_fails_logged = [] @@ -42,8 +28,14 @@ class Parser: except: return { 'error' : 'Invalid json' } - if self.contains_tags(jsondata) == True: - return { 'error' : 'Invalid characters in json' } + # Bleach data going directly into the database so that + # displaying in any of the graphing doesn't introduce XSS + for key,val in jsondata.items(): + if key == 'failures': + continue + if not isinstance(val, str): + continue + jsondata[key] = bleach.clean(val) b = Build.objects.create() try: diff --git a/requirements.txt b/requirements.txt index 909d054..52633b4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ Django<1.9 python-Levenshtein==0.12.0 +bleach
\ No newline at end of file |