fix for issue 36

CHANGELOG.md

@@ -1,6 +1,11 @@
 Changelog
 =========
 
+## Version 0.7
+
+### Enhancements and Bugfixes:
+* [#36](https://github.com/1modm/petereport/issues/36) Security Issue - Stored XSS (Attack Tree)
+
 ## Version 0.6
 
 ### Enhancements and Bugfixes:

app/petereport/settings.py

@@ -239,10 +239,10 @@
 # BLEACH
 
 # Which HTML tags are allowed
-BLEACH_ALLOWED_TAGS = ['img', 'p', 'b', 'i', 'u', 'em', 'strong', 'a', 'hr', 'h1', 'h2', 'h3', 'h4', 'h5', 'pre', 'code', 'blockquote', 'ul', 'ol', 'li']
+BLEACH_ALLOWED_TAGS = ['svg', 'g', 'polygon', 'path', 'text', 'title', 'img', 'p', 'b', 'i', 'u', 'em', 'strong', 'a', 'hr', 'h1', 'h2', 'h3', 'h4', 'h5', 'pre', 'code', 'blockquote', 'ul', 'ol', 'li']
 
 # Which HTML attributes are allowed
-BLEACH_ALLOWED_ATTRIBUTES = ['href', 'title', 'style', 'alt', 'src', 'width', 'height']
+BLEACH_ALLOWED_ATTRIBUTES = ['href', 'title', 'style', 'alt', 'src', 'width', 'height', 'viewBox', 'id', 'class', 'transform', 'fill', 'stroke', 'points', 'd', 'text-anchor', 'x', 'y', 'font-size', 'font-family', 'font-weight', 'text-decoration', 'font-variant']
 
 # Which CSS properties are allowed in 'style' attributes (assuming
 # style is an allowed attribute)

app/preport/templates/attacktree/attacktree_view.html

@@ -76,7 +76,7 @@ <h3 class="card-title">
                 <div class="card-body">
 
                   <center>
-                    {{ DB_attacktree.svg_file|safe  }}
+                    {{ DB_attacktree.svg_file| safe | bleach }}
                   </center>
 
                 </div>

app/preport/templates/findings/finding_view.html

@@ -195,7 +195,7 @@ <h3 class="card-title">
 
                 </div>
                 <div class="card-body">
-                  {{ finding.description|safe_markdown | bleach }}
+                  {{ finding.description | safe_markdown | bleach }}
                 </div>
               </div>
 
@@ -350,9 +350,9 @@ <h3 class="card-title">
                 </div>
                 <div class="card-body">
                   {% for attacktree in DB_attacktree %}
-                    <p>{{ attacktree.title|safe_markdown | bleach }}</p>
+                    <p>{{ attacktree.title | safe_markdown | bleach }}</p>
                     <center>
-                      <p>{{ attacktree.svg_file|safe }}</p>
+                      <p>{{ attacktree.svg_file|safe| bleach }}</p>
                     </center>
                     <hr>
                   {% endfor %}

app/preport/templates/home/footer.html

@@ -1,6 +1,6 @@
   <footer class="main-footer">
     <div class="float-right d-none d-sm-block">
-      <b>Version</b> 0.6
+      <b>Version</b> 0.7
     </div>
     <strong>Copyright &copy; 2021 <a href="https://github.com/1modm/petereport">PeTeReport</a>.</strong> All rights reserved.
   </footer>

app/preport/templates/tpl/html/html_finding.md

@@ -1,12 +1,14 @@
-## {{finding.title|safe}}
+{% load martortags %}
+{% load bleach_tags %}
+## {{finding.title|safe| bleach}}
 
 <table class="table table-bordered">
 
 <tbody>
 
 <tr>
 <td style="width: 15%">**Severity**</td>
-<td>**<span style="color:#{{color_text_severity}}">{{finding.severity}} </span>**</td>
+<td>**<span style="color:#{{color_text_severity}}">{{finding.severity| bleach}} </span>**</td>
 </tr>
 
 <tr>
@@ -23,40 +25,40 @@
 <td style="width: 15%">**Description**</td>
 <td>
 
-{{finding.description|safe}}
+{{finding.description|safe| bleach}}
 
 </td>
 </tr>
 
 <tr>
 <td style="width: 15%">**Location**</td>
-<td>{{finding.location|safe}}</td>
+<td>{{finding.location|safe| bleach}}</td>
 </tr>
 
 <tr>
 <td style="width: 15%">**Impact**</td>
-<td>{{finding.impact|safe}}</td>
+<td>{{finding.impact|safe| bleach}}</td>
 </tr>
 
 <tr>
 <td style="width: 15%">**Recommendation**</td>
-<td>{{finding.recommendation|safe}}</td>
+<td>{{finding.recommendation|safe| bleach}}</td>
 </tr>
 
 <tr>
 <td style="width: 15%">**References**</td>
-<td>{{finding.references|safe}}</td>
+<td>{{finding.references|safe| bleach}}</td>
 </tr>
 
 {% if template_appendix_in_finding %}
 <tr>
-{{template_appendix_in_finding|safe}}
+{{template_appendix_in_finding|safe| bleach}}
 </tr> 
 {% endif %}
 
 {% if template_attacktree_in_finding %}
 <tr>
-{{template_attacktree_in_finding|safe}}
+{{template_attacktree_in_finding|safe| bleach}}
 </tr> 
 {% endif %}
 

app/preport/templates/tpl/html/html_finding_summary.html

@@ -1,5 +1,7 @@
+{% load martortags %}
+{% load bleach_tags %}
 <tr>
   <td style="width: 5%">{{counter_finding}}</td>
-  <td style="width: 80%">{{finding.title|safe}}</td>
-  <td style="width: 15%">**<span style="color:#{{color_text_severity}}">{{finding.severity}} </span>**</td>
+  <td style="width: 80%">{{finding.title|safe| bleach}}</td>
+  <td style="width: 15%">**<span style="color:#{{color_text_severity}}">{{finding.severity|safe| bleach}} </span>**</td>
 </tr>

app/preport/templates/tpl/html/html_report.md

@@ -1,7 +1,9 @@
+{% load martortags %}
+{% load bleach_tags %}
 ---
-title: "{{DB_report_query.title}}"
-product: "{{DB_report_query.product.name}}"
-author: ["{{md_author}}", "Report ID: {{DB_report_query.report_id}}"]
+title: "{{DB_report_query.title|safe| bleach}}"
+product: "{{DB_report_query.product.name|safe| bleach}}"
+author: ["{{md_author}}", "Report ID: {{DB_report_query.report_id|safe| bleach}}"]
 date: "{{report_date}}"
 subject: "{{md_subject}}"
 subtitle: "{{DB_report_query.report_id}}"
@@ -19,11 +21,11 @@ colorlinks: true
 
 ## Description
 
-{{DB_report_query.product.description|safe}}
+{{DB_report_query.product.description|safe| bleach}}
 
 # Executive Summary
 
-{{DB_report_query.executive_summary|safe}}
+{{DB_report_query.executive_summary|safe| bleach}}
 
 ## Summary of Findings Identified
 
@@ -39,19 +41,19 @@ colorlinks: true
 
 ### In Scope
 
-{{DB_report_query.scope|safe}}
+{{DB_report_query.scope|safe| bleach}}
 
 ### Out of Scope
 
-{{DB_report_query.outofscope|safe}}
+{{DB_report_query.outofscope|safe| bleach}}
 
 ## Methodology
 
-{{DB_report_query.methodology|safe}}
+{{DB_report_query.methodology|safe| bleach}}
 
 ## Recommendations
 
-{{DB_report_query.recommendation|safe}}
+{{DB_report_query.recommendation|safe| bleach}}
 
 # Findings and Risk Analysis
 

app/preport/templates/tpl/html/md_appendix.md

@@ -1,3 +1,5 @@
-## {{appendix_in_finding.title}}
+{% load martortags %}
+{% load bleach_tags %}
+## {{appendix_in_finding.title| bleach}}
 
-{{appendix_in_finding.description}}
+{{appendix_in_finding.description| bleach}}

app/preport/templates/tpl/html/md_attacktree.md

@@ -1,5 +1,7 @@
-{{attacktree_in_finding.title}}
+{% load martortags %}
+{% load bleach_tags %}
+{{attacktree_in_finding.title| bleach}}
 
 <center>
-{{attacktree_in_finding.svg_file|safe}}
+{{attacktree_in_finding.svg_file|safe| bleach}}
 </center>

app/preport/views.py

@@ -940,7 +940,7 @@ def reportdownloadpdf(request,pk):
 
     output_pypandoc = pypandoc.convert_text(final_markdown_output, to='pdf', outputfile=pdf_file_output, format='md', extra_args=['-H', PDF_HEADER_FILE, '--from', 'markdown+yaml_metadata_block+raw_html', '--template', PETEREPORT_LATEX_FILE, '--table-of-contents', '--toc-depth', '4', '--number-sections', '--highlight-style', 'breezedark', '--filter', 'pandoc-latex-environment', '--listings'])
     #output_pypandoc = pypandoc.convert_text(final_markdown_output, to='pdf', outputfile=pdf_file_output, format='md', extra_args=['-H', PDF_HEADER_FILE, '--from', 'markdown+yaml_metadata_block+raw_html', '--template', PETEREPORT_LATEX_FILE, '--table-of-contents', '--toc-depth', '4', '--number-sections', '--highlight-style', 'breezedark', '--filter', 'pandoc-latex-environment', '--listings', '--pdf-engine', 'xelatex'])
-
+    print(output_pypandoc)
 
     if os.path.exists(pdf_file_output):
             with open(pdf_file_output, 'rb') as fh: