Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GITC-277: Fixes xss vuln on projects work_url #9330

Merged
merged 1 commit into from
Aug 3, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/dashboard/templates/project/detail/info.html
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
<div class="ml-md-3">
<a class="text-decoration-none" :href="project.url"><h1 class="project-title mb-2 font-weight-bold" v-html="project.name"></h1></a>
<div class="d-flex align-items-baseline">
<i class="fab fa-github mr-2"></i> <a class="project__url link-white font-body" :href="project.work_url">[[project.work_url]]</a>
<i class="fab fa-github mr-2"></i> <a class="project__url link-white font-body" :href="project.work_url">[[decodeURIComponent(project.work_url)]]</a>
</div>
<div class="mt-3 project__actions">
<button class="btn btn-link btn-sm text-white p-0 m-0" @click="tabChange(1)"><i class="fas fa-comment mr-1"></i> [[ project.comments || 0 ]] Comment[[ project.comments > 1 ? 's' : '' ]]</button>
Expand Down
22 changes: 17 additions & 5 deletions app/dashboard/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import random
import re
import time
import urllib.parse
import uuid
from copy import deepcopy
from datetime import datetime, timedelta
Expand All @@ -41,6 +42,7 @@
from django.core.exceptions import ObjectDoesNotExist, PermissionDenied, ValidationError
from django.core.paginator import EmptyPage, PageNotAnInteger, Paginator
from django.db.models import Count, Q, Sum
from django.forms import URLField
from django.http import Http404, HttpResponse, JsonResponse
from django.shortcuts import get_object_or_404, redirect
from django.template import loader
Expand Down Expand Up @@ -3437,7 +3439,6 @@ async def certifiers_of(client: client, search: str) -> dict:


def connect_google():
import urllib.parse

return OAuth2Session(
settings.GOOGLE_CLIENT_ID,
Expand Down Expand Up @@ -3696,7 +3697,6 @@ def disconnect_user_ens(request, handle):


def connect_facebook():
import urllib.parse

facebook = OAuth2Session (
settings.FACEBOOK_CLIENT_ID,
Expand Down Expand Up @@ -5089,6 +5089,17 @@ def hackathon_save_project(request):
video_url = request.POST.get('videodemo-url', '')
categories = request.POST.getlist('categories[]')
tech_stack = request.POST.getlist('tech-stack[]')
work_url = request.POST.get('work_url', '')

# validate the url
validator = URLField()
try:
validator.clean(work_url)
except Exception as e:
return JsonResponse({
'success': False,
'msg': 'Please enter a valid URL for "Project Github Repository or Link to Pull Request"',
})

if error_response and error_response['status'] != 400:
return JsonResponse(error_response)
Expand All @@ -5107,7 +5118,7 @@ def hackathon_save_project(request):
'logo': request.FILES.get('logo'),
'bounty': bounty_obj,
'summary': clean(request.POST.get('summary'), strip=True),
'work_url': clean(request.POST.get('work_url'), strip=True),
'work_url': clean(work_url, strip=True),
'looking_members': looking_members,
'message': '',
'extra': {
Expand Down Expand Up @@ -5204,7 +5215,7 @@ def project_data(project_id):
'status': project.status,
'winner': project.winner,
'looking_members': project.looking_members,
'work_url': project.work_url,
'work_url': urllib.parse.quote(re.sub(re.compile(r'^javascript:'), '', project.work_url), safe=':/'),
'url': reverse('hackathon_project_page', args=[project.hackathon.slug, project_id, slugify(unidecode(project.name))]),
'demo': {
'url': project.extra.get('video_url', None),
Expand Down Expand Up @@ -5256,6 +5267,7 @@ def hackathon_project_page(request, hackathon, project_id, project_name='', tab=
hackathon_obj = HackathonEventSerializer(project.hackathon).data,
comments = Activity.objects.filter(activity_type='wall_post', project=project).count()
what = f'project:{project_id}'

params = {
'title': title,
'card_desc': desc,
Expand All @@ -5273,7 +5285,7 @@ def hackathon_project_page(request, hackathon, project_id, project_name='', tab=
'status': project.status,
'winner': project.winner,
'looking_members': project.looking_members,
'work_url': project.work_url,
'work_url': urllib.parse.quote(re.sub(re.compile(r'^javascript:'), '', project.work_url), safe=':/'),
'logo_url': project.logo.url if project.logo else '',
'demo': {
'url': project.extra.get('video_url', None),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@
# ./manage.py payout_round_noncustodial set_payouts mainnet --clr_pks=131,121,120,119,118 --clr_round=9 --process_all

import json
from decimal import Decimal
import math
from decimal import Decimal

from django.conf import settings
from django.core.management.base import BaseCommand
Expand Down