Parse query params for /certified to protect against XSS

canonical · Dec 13, 2023 · a815e58 · a815e58
1 parent f62b60c
commit a815e58
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 0 deletions.
diff --git a/webapp/certified/views.py b/webapp/certified/views.py
@@ -79,6 +79,48 @@ def certified_routes(app):
         "/certified/filters.json", view_func=get_vendors_releases_filters
     )
 
+def _parse_query_params(all_releases, all_vendors):
+
+    new_certified_url = f'{request.path}?'
+    new_query_params = {}
+    if request.args.get("q") or request.args.get("q") == "":
+        new_certified_url += f'q={request.args.get("q")}'
+        new_query_params["q"] = request.args.get("q")
+
+    for category in ["Laptop", "Desktop", "Server", "IoT", "SoC"]:
+        if request.args.getlist("category"):
+            for item in request.args.getlist("category"):
+                if item == category:
+                    new_certified_url += f'&category={category}'
+                    new_query_params["category"] = category
+
+    for vendor in all_vendors:
+        if request.args.getlist("vendor"):
+            for item in request.args.getlist("vendor"):
+                if item == vendor:
+                    new_certified_url += f"&vendor={vendor}"
+                    new_query_params["vendor"] = vendor
+
+    for release in all_releases:
+        if request.args.getlist("release"):
+            for item in request.args.getlist("release"):
+                if item == release:
+                    new_certified_url += f"&release={release}"
+                    new_query_params["release"] = release
+
+    if request.args.get("limit"):
+        new_certified_url += f"&limit={request.args.get('limit')}"
+        new_query_params["limit"] = request.args.get("limit")
+
+    if request.args.get("offset"):
+        new_certified_url += f"&offset={request.args.get('offset')}"
+        new_query_params["offset"] = request.args.get("offset")
+
+    if new_query_params == dict(request.args):
+        # No parsing was done
+        return None
+    else:
+        return new_certified_url
 
 def get_vendors_releases_filters():
     categories = request.args.getlist("category")
@@ -491,6 +533,11 @@ def certified_home():
         release_filters,
     ) = get_filters(request.args)
 
+    # Parse url
+    new_cert_url = _parse_query_params(release_filters, vendor_filters)
+    if new_cert_url:
+        return flask.redirect(new_cert_url)
+
     if (
         "category" in request.args
         and len(request.args.getlist("category")) == 1
@@ -655,6 +702,7 @@ def create_category_views(category, template_path):
     all_vendors = []
     vendor_filters = []
 
+
     for release in certified_releases:
         version = release["release"]
 
@@ -681,6 +729,12 @@ def create_category_views(category, template_path):
     limit = request.args.get("limit", default=20, type=int)
     offset = request.args.get("offset", default=0, type=int)
 
+    # Parse url
+    new_cert_url = _parse_query_params(release_filters, vendor_filters)
+    if new_cert_url:
+        return flask.redirect(new_cert_url)
+
+
     releases = (
         ",".join(request.args.getlist("release"))
         if request.args.getlist("release")
@@ -715,6 +769,8 @@ def create_category_views(category, template_path):
     # Pagination
     total_results = models_response["meta"]["total_count"]
 
+
+
     return render_template(
         template_path,
         results=results,

diff --git a/webapp/handlers.py b/webapp/handlers.py
@@ -46,6 +46,12 @@ def cache_headers(response):
 
         if flask.request.path.startswith(disable_cache_on):
             response.cache_control.no_store = True
+
+        # Prevent XSS
+        if flask.request.path.startswith("/certified"):
+            response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+            response.headers['Content-Security-Policy'] = "default-src 'self'"
+            response.headers['X-XSS-Protection'] = '1; mode=block'
 
         return response