From 89f1e6e62c90a8979538e3e28ee6a6a77c78c141 Mon Sep 17 00:00:00 2001
From: Phil Elson <philip.elson@cern.ch>
Date: Fri, 6 Nov 2020 23:32:25 +0100
Subject: [PATCH 1/2] Use the Jinja templating engine to remove pre-formatting
 values.

---
 cara/apps/calculator/report_generator.py      | 32 +++----------
 cara/apps/calculator/templates/report.html.j2 | 46 +++++++++----------
 2 files changed, 30 insertions(+), 48 deletions(-)

diff --git a/cara/apps/calculator/report_generator.py b/cara/apps/calculator/report_generator.py
index d0a3f7e6..78789faa 100644
--- a/cara/apps/calculator/report_generator.py
+++ b/cara/apps/calculator/report_generator.py
@@ -69,7 +69,7 @@ def plot(times, concentrations):
     return fig
 
 
-def minutes_to_string(minutes: int) -> str:
+def minutes_to_time(minutes: int) -> str:
     minute_string = str(minutes % 60)
     minute_string = "0" * (2 - len(minute_string)) + minute_string
     hour_string = str(minutes // 60)
@@ -88,34 +88,16 @@ def build_report(model: models.Model, form: FormData):
         'request': request,
         'form': form,
         'creation_date': time, 
-        'model_version': 'Beta v1.0.0', 
-        'simulation_name': form.simulation_name, 
-        'room_number': form.room_number, 
-        'room_volume': form.room_volume, 
-        'air_supply': form.air_supply, 
-        'air_changes': form.air_changes, 
-        'total_people': form.total_people,
-        'infected_people': form.infected_people,
-        'activity_type': form.activity_type,
-        'activity_start': minutes_to_string(form.activity_start),
-        'activity_finish': minutes_to_string(form.activity_finish),
-        'infected_start': minutes_to_string(form.infected_start),
-        'infected_finish': minutes_to_string(form.infected_finish),
-        'event_type': form.event_type, 
-        'single_event_date': form.single_event_date, 
-        'recurrent_event_month': form.recurrent_event_month,
-        'lunch_option': form.lunch_option, 
-        'lunch_start': minutes_to_string(form.lunch_start),
-        'lunch_finish': minutes_to_string(form.lunch_finish),
-        'coffee_breaks': form.coffee_breaks,
-        'coffee_duration': form.coffee_duration, 
-        'coffee_times': [[minutes_to_string(start), minutes_to_string(finish)] for start, finish in form.coffee_break_times()],
-        'mask_wearing': form.mask_wearing, 
+        'model_version': 'Beta v1.0.0',
     }
 
     context.update(calculate_report_data(model))
 
     p = Path(__file__).parent / "templates"
-    env = jinja2.Environment(loader=jinja2.FileSystemLoader(Path(p)))
+    env = jinja2.Environment(
+        loader=jinja2.FileSystemLoader(Path(p)),
+        undefined=jinja2.StrictUndefined,
+    )
+    env.filters['minutes_to_time'] = minutes_to_time
     template = env.get_template("report.html.j2")
     return template.render(**context)
\ No newline at end of file
diff --git a/cara/apps/calculator/templates/report.html.j2 b/cara/apps/calculator/templates/report.html.j2
index c21f81e4..9f18d3f9 100644
--- a/cara/apps/calculator/templates/report.html.j2
+++ b/cara/apps/calculator/templates/report.html.j2
@@ -13,8 +13,8 @@
 
 	<p class=subtitle> Created {{ creation_date }} using model version {{ model_version }}</p><br>
 
-	<p>Simulation Name: {{ simulation_name }}</p>
-	<p>Room Number: {{ room_number }}</p>
+	<p>Simulation Name: {{ form.simulation_name }}</p>
+	<p>Room Number: {{ form.room_number }}</p>
 
 	<p class="data_title">Input data:</p>
 	<ul>
@@ -29,9 +29,9 @@
 		<ul>
 			<li><p class="data_subtext">
 			{% if form.mechanical_ventilation_type == "air_supply"%}
-			Air supply flow rate: {{ air_supply }}
+			Air supply flow rate: {{ form.air_supply }}
 			{% elif form.mechanical_ventilation_type == "air_changes"%}
-			Air changes per hour: {{ air_changes }}
+			Air changes per hour: {{ form.air_changes }}
 			{% endif %}
 			</p></li>
 		</ul>
@@ -58,51 +58,51 @@
 
 	<p class="data_title">Event data:</p>
 	<ul>
-		<li><p class="data_text">Number of attendees and infected people: {{ total_people }} in attendance, of whom {{ infected_people }} 
-		{{ "is" if infected_people == 1 else "are" }}
+		<li><p class="data_text">Number of attendees and infected people: {{ form.total_people }} in attendance, of whom {{ form.infected_people }} 
+		{{ "is" if form.infected_people == 1 else "are" }}
 		infected.</p></li>
 		<li><p class="data_text">Activity type: 
-		{% if activity_type == "office" %}
+		{% if form.activity_type == "office" %}
 		Office work – typical scenario with all persons seated, talking.
-		{% elif activity_type == "workshop" %}
+		{% elif form.activity_type == "workshop" %}
 		Workshop = assembly workshop environment, all persons doing light exercise, talking.
-		{% elif activity_type == "training" %}
+		{% elif form.activity_type == "training" %}
 		Training – one person (the trainer) standing, talking, all others seated, talking quietly (whispering). It is assumed the trainer is the infected person, for the worst case scenario.
 		{% endif %}
 		</p></li>
 			<ul>
-				<li><p class="data_subtext">Start time: {{ activity_start }} &nbsp&nbsp End time: {{ activity_finish }}</p></li>
+				<li><p class="data_subtext">Start time: {{ form.activity_start | minutes_to_time }} &nbsp&nbsp End time: {{ form.activity_finish | minutes_to_time }}</p></li>
 			</ul>
 		<li><p class="data_text">Exposure time (presence of infected person):</p></li>
 		<ul>
-			<li><p class="data_subtext">Start time: {{ infected_start }} &nbsp&nbsp End time: {{ infected_finish }}</p></li>
+			<li><p class="data_subtext">Start time: {{ form.infected_start | minutes_to_time }} &nbsp&nbsp End time: {{ form.infected_finish | minutes_to_time }}</p></li>
 		</ul>
-		{% if event_type == "single_event"%}
-		<li><p class="data_text">Single event on {{ single_event_date }}</p></li>
+		{% if form.event_type == "single_event"%}
+		<li><p class="data_text">Single event on {{ form.single_event_date }}</p></li>
 		{% endif %}
-		{% if event_type == "recurrent_event"%}
-		<li><p class="data_text">Recurrent event for the month of {{ recurrent_event_month }}</p></li>
+		{% if form.event_type == "recurrent_event"%}
+		<li><p class="data_text">Recurrent event for the month of {{ form.recurrent_event_month }}</p></li>
 		{% endif %}
 	</ul>
 
 	<p class="data_title">Break data:</p>
 	<ul>
 		<li><p class="data_text">Lunch break: 
-		{% if lunch_option%}
+		{% if form.lunch_option%}
 		Yes</li>
 		<ul>
-			<li> Start: {{ lunch_start }} &nbsp&nbsp End: {{ lunch_finish }}</p></li>
+			<li> Start: {{ form.lunch_start | minutes_to_time }} &nbsp&nbsp End: {{ form.lunch_finish | minutes_to_time }}</p></li>
 		</ul>
 		{% else%}
 		No</li>
 		{% endif %}
-		<li><p class="data_text">Coffee breaks: {{ coffee_breaks }}	
-		{% if coffee_breaks > 0 %}
-		each of {{ coffee_duration }} minutes duration
+		<li><p class="data_text">Coffee breaks: {{ form.coffee_breaks }}
+		{% if form.coffee_breaks > 0 %}
+		each of {{ form.coffee_duration }} minutes duration
 		</p></li>
 		<ul>
-		{%- for coffee in coffee_times %}
-		<li><p class="data_subtext">Coffee break {{ loop.index }}: Start: {{ coffee[0] }} &nbsp&nbsp End: {{ coffee[1] }}</p></li>
+		{%- for start_time, end_time in form.coffee_break_times() %}
+		<li><p class="data_subtext">Coffee break {{ loop.index }}: Start: {{ start_time | minutes_to_time }} &nbsp&nbsp End: {{ end_time | minutes_to_time }}</p></li>
     	{%- endfor %}
 		</ul>
 		{% endif %}
@@ -111,7 +111,7 @@
 	<p class="data_title">Mask wearing:</p>
 	<ul>
 		<li><p class="data_text">Masks worn at workstations?
-		{{ "No" if mask_wearing == "removed" else "Yes" }}
+		{{ "No" if form.mask_wearing == "removed" else "Yes" }}
 		</p></li>
 		<li><p class="data_text">Mask type: Type 1</p></li>
 	</ul>

From 641d236aa93e77e524c62547192e3cbbd0ba8757 Mon Sep 17 00:00:00 2001
From: Phil Elson <philip.elson@cern.ch>
Date: Fri, 6 Nov 2020 23:41:42 +0100
Subject: [PATCH 2/2] Prevent arbitrary code execution exploits.

---
 cara/apps/calculator/model_generator.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cara/apps/calculator/model_generator.py b/cara/apps/calculator/model_generator.py
index 907a78b2..3ad6bc37 100644
--- a/cara/apps/calculator/model_generator.py
+++ b/cara/apps/calculator/model_generator.py
@@ -1,5 +1,6 @@
 from cara.models import Model
 from dataclasses import dataclass
+import html
 import typing
 
 from cara import models
@@ -67,6 +68,11 @@ class FormData:
             if form_data[key] not in valid_set:
                 raise ValueError(f"{form_data[key]} is not a valid value for {key}")
 
+        # Don't let arbirtrary unescaped HTML through the net.
+        for key, value in form_data.items():
+            if isinstance(value, str):
+                form_data[key] = html.escape(value)
+
         # TODO: This fixup is a problem with the form.html.
         for key, value in form_data.items():
             if value == "":