Merge pull request #545 from CityOfNewYork/johnyu95-new-request-vulne…

…rability-fix Fixed injection vulnerability in new request page
CityOfNewYork · Dec 16, 2021 · db6d6b4 · db6d6b4
2 parents 96797ab + 9ffd98d
commit db6d6b4
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 44 deletions.
diff --git a/app/request/utils.py b/app/request/utils.py
@@ -13,7 +13,12 @@
 from tempfile import NamedTemporaryFile
 from urllib.parse import urljoin
 
-from flask import render_template, current_app, url_for, request as flask_request
+from flask import (
+    render_template,
+    current_app,
+    url_for, request as flask_request,
+    escape
+)
 from flask_login import current_user
 from werkzeug.utils import secure_filename
 
@@ -285,11 +290,11 @@ def get_address(form):
                 app.request.forms.AnonymousRequestForm
     """
     return create_mailing_address(
-        form.address.data or None,
-        form.city.data or None,
-        form.state.data or None,
-        form.zipcode.data or None,
-        form.address_two.data or None
+        escape(form.address.data) or None,
+        escape(form.city.data) or None,
+        escape(form.state.data) or None,
+        escape(form.zipcode.data) or None,
+        escape(form.address_two.data) or None
     )
 
 

diff --git a/app/request/views.py b/app/request/views.py
@@ -16,11 +16,12 @@
     Markup,
     jsonify,
     abort,
+    escape
 )
 from flask_login import current_user
 from sqlalchemy import any_
 from sqlalchemy.orm.exc import NoResultFound
-from werkzeug.utils import escape
+from werkzeug.utils import escape as werkzeug_escape
 
 from app.constants import request_status, permission, HIDDEN_AGENCIES
 from app.lib.date_utils import DEFAULT_YEARS_HOLIDAY_LIST, get_holidays_date_list
@@ -76,10 +77,10 @@ def new():
     :return: redirect to homepage on successful form validation
      if form fields are missing or has improper values, backend error messages (WTForms) will appear
     """
-    kiosk_mode = eval_request_bool(escape(flask_request.args.get("kiosk_mode", False)))
-    category = str(escape(flask_request.args.get("category", None)))
-    agency = str(escape(flask_request.args.get("agency", None)))
-    title = str(escape(flask_request.args.get("title", None)))
+    kiosk_mode = eval_request_bool(werkzeug_escape(flask_request.args.get("kiosk_mode", False)))
+    category = str(werkzeug_escape(flask_request.args.get("category", None)))
+    agency = str(werkzeug_escape(flask_request.args.get("agency", None)))
+    title = str(werkzeug_escape(flask_request.args.get("title", None)))
 
     if current_user.is_public:
         form = PublicUserRequestForm()
@@ -110,57 +111,57 @@ def new():
             flask_request.form.get("custom-request-forms-data", {})
         )
         tz_name = (
-            flask_request.form["tz-name"]
+            escape(flask_request.form["tz-name"])
             if flask_request.form["tz-name"]
             else current_app.config["APP_TIMEZONE"]
         )
         if current_user.is_public:
             request_id = create_request(
-                form.request_title.data,
-                form.request_description.data,
-                form.request_category.data,
-                agency_ein=form.request_agency.data,
+                escape(form.request_title.data),
+                escape(form.request_description.data),
+                escape(form.request_category.data),
+                agency_ein=escape(form.request_agency.data),
                 upload_path=upload_path,
                 tz_name=tz_name,
                 custom_metadata=custom_metadata,
             )
         elif current_user.is_agency:
             request_id = create_request(
-                form.request_title.data,
-                form.request_description.data,
+                escape(form.request_title.data),
+                escape(form.request_description.data),
                 category=None,
                 agency_ein=(
-                    form.request_agency.data
-                    if form.request_agency.data != "None"
+                    escape(form.request_agency.data)
+                    if form.request_agency.data is not None
                     else current_user.default_agency_ein
                 ),
-                submission=form.method_received.data,
+                submission=escape(form.method_received.data),
                 agency_date_submitted_local=form.request_date.data,
-                email=form.email.data,
-                first_name=form.first_name.data,
-                last_name=form.last_name.data,
-                user_title=form.user_title.data,
-                organization=form.user_organization.data,
-                phone=form.phone.data,
-                fax=form.fax.data,
+                email=escape(form.email.data),
+                first_name=escape(form.first_name.data),
+                last_name=escape(form.last_name.data),
+                user_title=escape(form.user_title.data),
+                organization=escape(form.user_organization.data),
+                phone=escape(form.phone.data),
+                fax=escape(form.fax.data),
                 address=get_address(form),
                 upload_path=upload_path,
                 tz_name=tz_name,
                 custom_metadata=custom_metadata,
             )
         else:  # Anonymous User
             request_id = create_request(
-                form.request_title.data,
-                form.request_description.data,
-                form.request_category.data,
-                agency_ein=form.request_agency.data,
-                email=form.email.data,
-                first_name=form.first_name.data,
-                last_name=form.last_name.data,
-                user_title=form.user_title.data,
-                organization=form.user_organization.data,
-                phone=form.phone.data,
-                fax=form.fax.data,
+                escape(form.request_title.data),
+                escape(form.request_description.data),
+                escape(form.request_category.data),
+                agency_ein=escape(form.request_agency.data),
+                email=escape(form.email.data),
+                first_name=escape(form.first_name.data),
+                last_name=escape(form.last_name.data),
+                user_title=escape(form.user_title.data),
+                organization=escape(form.user_organization.data),
+                phone=escape(form.phone.data),
+                fax=escape(form.fax.data),
                 address=get_address(form),
                 upload_path=upload_path,
                 tz_name=tz_name,

diff --git a/app/templates/request/_edit_requester_info.html b/app/templates/request/_edit_requester_info.html
@@ -4,7 +4,7 @@ <h4>Requester</h4>
     <h4>
         <a data-target="#requesterModal" data-toggle="modal" class="MainNavText" id="MainNavHelp"
            href="#requesterModal">
-            {{ request.requester.name }}
+            {{ request.requester.name | safe }}
         </a>
     </h4>
 </div>
@@ -23,7 +23,7 @@ <h4 class="modal-title">Requester Information</h4>
                 <div class="modal-body">
                     {% set is_requester_information_readonly = request.requester.is_public or
                            current_user.is_agency_read_only(request.agency.ein) %}
-                    <div id="requester-name">{{ request.requester.name }}</div>
+                    <div id="requester-name">{{ request.requester.name | safe }}</div>
                     <div class="contact-form-error-message" tabindex="0"></div>
                     {{ edit_requester_form.email.label }}
                     {{ edit_requester_form.email(id='inputEmail', type='email', class='form-control', maxlength="254",

diff --git a/app/templates/request/_view_request_info.html b/app/templates/request/_view_request_info.html
@@ -34,10 +34,10 @@ <h3 class="text-muted" id="request-id">{{ request.id }}
                 <div class="request-title-text lead">
                     {% if permissions['edit_title'] and request.status != status.CLOSED %}
                         <!-- editable area for request title -->
-                        <a href="#" class="xedit" id="title">{{ request.title }}</a>
+                        <a href="#" class="xedit" id="title">{{ request.title | safe }}</a>
                     {% else %}
                         {% if request.show_title %}
-                            {{ request.title }}
+                            {{ request.title | safe }}
                         {% else %}
                             {% if request.was_acknowledged or request.status == "Closed" %}
                                 <p>Private</p>
@@ -53,7 +53,7 @@ <h3 class="text-muted" id="request-id">{{ request.id }}
                 {% if (custom_request_forms_enabled and description_hidden_by_default == false) or custom_request_forms_enabled == false %}
                     <div class="row">
                         <div class="request-label lead">Description:</div>
-                        <div class="request-description-text lead">{{ request.description }}</div>
+                        <div class="request-description-text lead">{{ request.description | safe }}</div>
                         <br>
                     </div>
                 {% endif %}