Merge branch 'security/review' into 'master'

Add a CSRF token in the calculator form. Avoid printing an unescaped error (which may contain JS). Closes #131 See merge request cara/cara!123
2020-12-17 16:02:01 +00:00 · 2020-12-17 16:02:01 +00:00 · d0156f5b54
commit d0156f5b54
parent 5759e94b44 bcad48f091
2 changed files with 8 additions and 2 deletions
--- a/cara/apps/calculator/init.py
+++ b/cara/apps/calculator/init.py
@ -1,3 +1,4 @@
+import html
 import json
 from pathlib import Path
 from typing import Optional, Awaitable
@ -50,7 +51,7 @@ class ConcentrationModel(BaseRequestHandler):
            if self.settings.get("debug", False):
                import traceback
                print(traceback.format_exc())
-            response_json = {'code': 400, 'error': f'Your request was invalid {err}'}
+            response_json = {'code': 400, 'error': f'Your request was invalid {html.escape(str(err))}'}
            self.set_status(400)
            self.finish(json.dumps(response_json))
            return
@ -79,7 +80,10 @@ class CalculatorForm(BaseRequestHandler):
    def get(self):
        template = self.settings["template_environment"].get_template(
            "calculator.form.html.j2")
-        report = template.render(user=self.current_user)
+        report = template.render(
+            user=self.current_user,
+            xsrf_form_html=self.xsrf_form_html(),
+        )
        self.finish(report)


@ -118,4 +122,5 @@ def make_app(debug=False, prefix='/calculator'):
        urls,
        debug=debug,
        template_environment=template_environment,
+        xsrf_cookies=True,
    )
--- a/cara/apps/calculator/templates/calculator.form.html.j2
+++ b/cara/apps/calculator/templates/calculator.form.html.j2
@ -31,6 +31,7 @@
 {% else %}
 <form id="covid_calculator" name="covid_calculator" action="/calculator/report" onsubmit="return validate_form(this)" method="POST">
 {% endif %}
+{{ xsrf_form_html }}

 <input type="hidden" name="model_version" value={{ MODEL_VERSION }}>