Summit

Merge lp:~mhall119/summit/xss-vulnerability-fix into lp:~summit-hackers/summit/1.x

xss-vulnerability-fix
Merge into 1.x

Proposed by Michael Hall on 2011-08-26

Status:	Merged
Approved by:	Nigel Babu on 2011-08-27
Approved revision:	144
Merged at revision:	144
Proposed branch:	lp:~mhall119/summit/xss-vulnerability-fix
Merge into:	lp:~summit-hackers/summit/1.x
Diff against target:	193 lines (+166/-2) 2 files modified summit/sponsor/templates/sponsor/review.html (+1/-1) summit/sponsor/tests.py (+165/-1)
To merge this branch:	bzr merge lp:~mhall119/summit/xss-vulnerability-fix
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Nigel Babu (community)		2011-08-26	Approve on 2011-08-27
Review via email: mp+73091@code.launchpad.net

Description of the change

Overview
========
Sponsorship application data was being displayed unescaped, allowing javascript injection into the pages.

Details
=======
Django will escape data being inserted into a template by default, but due to a combination of template filters the sponsorship.about field was having it's unescaped data inserted, which allowed for someone to submit a sponsorship application containing embedded javascript that would be executed by any user viewing their application. This MP contains tests for specifically this behavior, and changes the order of filters being applied so that the final result will still be properly escaped.

Revision history for this message

Nigel Babu (nigelbabu) wrote on 2011-08-27:

Ack. Good catch. I'm tempted to Rick Roll someone before we merge it in though :P

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Michael Hall

Summit Hackers

 === modified file 'summit/sponsor/templates/sponsor/review.html'
 --- summit/sponsor/templates/sponsor/review.html	2010-10-03 22:43:07 +0000
 +++ summit/sponsor/templates/sponsor/review.html	2011-08-26 19:16:19 +0000
@@ -17,7 +17,7 @@
  </table>
  <p>
--{{ sponsorship.about|escape|paras|urlize }}
++{{ sponsorship.about|escape|urlize|paras }}
  </p>
  <!--
 === modified file 'summit/sponsor/tests.py'
 --- summit/sponsor/tests.py	2011-08-22 16:12:36 +0000
 +++ summit/sponsor/tests.py	2011-08-26 19:16:19 +0000
@@ -23,6 +23,8 @@
  from django.contrib.auth.models import User
  from summit.schedule.models import Summit
  from summit.sponsor.models import (
++    Sponsorship,
++    SponsorshipScore,
      SponsorshipSuggestion,
      SponsorshipSuggestionScore,
      NonLaunchpadSponsorship,
@@ -147,5 +149,167 @@
+         }
          form = SponsorshipSuggestionForm(form_data)
          self.assertFalse(form.is_valid())
--
++
++
++class SponsorshipReviewTestCase(djangotest.TestCase):
++
++    def setUp(self):
++        self.summit = Summit.objects.create(
++            name='test-summit',
++            title='Test Summit',
++            location='Test Location',
++            description='Test Summit Description',
++            timezone='UTC',
++            last_update=datetime.datetime.now(),
++            state='sponsor',
++            date_start=(datetime.datetime.now() + datetime.timedelta(days=1)),
++            date_end=(datetime.datetime.now() + datetime.timedelta(days=6)),
++        )
++
++        self.user = User.objects.create(
++            username='testuser',
++            first_name='Test',
++            last_name='User',
++        )
++
++        self.sponsorship = Sponsorship.objects.create(
++            user=self.user,
++            summit=self.summit,
++            location='Test Location',
++            country='Test Country',
++            about='Test About Description',
++            needs_travel=False,
++            needs_accomodation=False,
++            would_crew=True,
++            diet='Test Diet',
++            further_info='Test Further Info',
++        )
++
++        self.scorer = User.objects.create(
++            username='testscorer',
++            first_name='Test',
++            last_name='Scorer',
++            is_superuser=True,
++        )
++        self.scorer.set_password('password')
++        self.scorer.save()
++
++        self.score = SponsorshipScore.objects.create(
++            sponsorship=self.sponsorship,
++            user=self.scorer,
++            score=1,
++            comment='Test Comment',
++        )
++
++    def test_sponsorship_review_display(self):
++        self.client.login(username='testscorer', password='password')
++        response = self.client.get('/test-summit/sponsorship/review/%s' % self.sponsorship.id)
++        self.assertContains(response, '<h1>Test User</h1>', 1)
++        self.assertContains(response, '<th>Location:</th><td>Test Location</td>', 1)
++        self.assertContains(response, '<th>Country:</th><td>Test Country</td>', 1)
++        self.assertContains(response, '<p>\nTest About Description\n</p>', 1)
++
++    def test_sponsorship_about_paras_filtering(self):
++        self.sponsorship.about = 'Test\nAbout\nDescription'
++        self.sponsorship.save()
++
++        self.client.login(username='testscorer', password='password')
++        response = self.client.get('/test-summit/sponsorship/review/%s' % self.sponsorship.id)
++        self.assertContains(response, '<p>\nTest</p>\n<p>\nAbout</p>\n<p>\nDescription\n</p>', 1)
++
++    def test_sponsorship_about_urlize_filtering(self):
++        self.sponsorship.about = 'Test http://example.org Description'
++        self.sponsorship.save()
++
++        self.client.login(username='testscorer', password='password')
++        response = self.client.get('/test-summit/sponsorship/review/%s' % self.sponsorship.id)
++        self.assertContains(response, '<p>\nTest <a href="http://example.org" rel="nofollow">http://example.org</a> Description\n</p>', 1)
++
++    def test_sponsorship_xss_escaping(self):
++        self.sponsorship.location = '"><script>alert(/xss/)</script>'
++        self.sponsorship.country = '"><script>alert(/xss/)</script>'
++        self.sponsorship.about = '"><script>alert(/xss/)</script>'
++        self.sponsorship.save()
++
++        self.user.first_name= '"><script>alert(/xss/)</script>'
++        self.user.last_name=''
++        self.user.save()
++
++        self.client.login(username='testscorer', password='password')
++        response = self.client.get('/test-summit/sponsorship/review/%s' % self.sponsorship.id)
++        # All displayed fields should have their html escaped
++        self.assertContains(response, '<h1>&quot;&gt;&lt;script&gt;alert(/xss/)&lt;/script&gt;</h1>', 1)
++        self.assertContains(response, '<th>Location:</th><td>&quot;&gt;&lt;script&gt;alert(/xss/)&lt;/script&gt;</td>', 1)
++        self.assertContains(response, '<th>Country:</th><td>&quot;&gt;&lt;script&gt;alert(/xss/)&lt;/script&gt;</td>', 1)
++        self.assertContains(response, '"><script>alert(/xss/)</script>', 0)
++
++
++class SuggestionReviewTestCase(djangotest.TestCase):
++
++    def setUp(self):
++        self.summit = Summit.objects.create(
++            name='test-summit',
++            title='Test Summit',
++            location='Test Location',
++            description='Test Summit Description',
++            timezone='UTC',
++            last_update=datetime.datetime.now(),
++            state='sponsor',
++            date_start=(datetime.datetime.now() + datetime.timedelta(days=1)),
++            date_end=(datetime.datetime.now() + datetime.timedelta(days=6)),
++        )
++
++        self.user = User.objects.create(
++            username='testuser',
++            first_name='Test',
++            last_name='User',
++        )
++
++        self.sponsorship = SponsorshipSuggestion.objects.create(
++            suggested_by=self.user,
++            name='Test Suggestion',
++            launchpad_name='testsuggestion',
++            summit=self.summit,
++            location='Test Location',
++            country='Test Country',
++            about='Test About Description',
++            needs_travel=False,
++            needs_accomodation=False,
++            would_crew=True,
++            diet='Test Diet',
++            further_info='Test Further Info',
++        )
++
++        self.scorer = User.objects.create(
++            username='testscorer',
++            first_name='Test',
++            last_name='Scorer',
++            is_superuser=True,
++        )
++        self.scorer.set_password('password')
++        self.scorer.save()
++
++        self.score = SponsorshipSuggestionScore.objects.create(
++            sponsorship=self.sponsorship,
++            user=self.scorer,
++            score=1,
++            comment='Test Comment',
++        )
++
++    def test_sponsorshipsuggestion_review_display(self):
++        self.client.login(username='testscorer', password='password')
++        response = self.client.get('/test-summit/suggestedsponsorship/review/%s' % self.sponsorship.id)
++        self.assertContains(response, '<h1>Test Suggestion</h1>', 1)
++
++    def test_sponsorshipsuggestion_xss_escaping(self):
++        self.client.login(username='testscorer', password='password')
++        self.sponsorship.name = '"><script>alert(/xss/)</script>'
++        self.sponsorship.location = '"><script>alert(/xss/)</script>'
++        self.sponsorship.country = '"><script>alert(/xss/)</script>'
++        self.sponsorship.about = '"><script>alert(/xss/)</script>'
++        self.sponsorship.save()
++        response = self.client.get('/test-summit/suggestedsponsorship/review/%s' % self.sponsorship.id)
++        # All displayed fields should have their html escaped
++        self.assertContains(response, '"><script>alert(/xss/)</script>', 0)
++

Summit

Merge lp:~mhall119/summit/xss-vulnerability-fix into lp:~summit-hackers/summit/1.x

Commit message

Description of the change

Preview Diff

Subscribers