-
-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] "&" gets translated to "&" when creating new company #3500
Comments
@eeintech this is a security measure to protect against CSRF/XSS as the symbol can be used in a scripting context. I am afraid it will have to stay that way as changing it would make us vulnerable again. |
Also please add the version information to all bug reports. The demo is a moving target |
I see... not ideal, some company names are using this symbol (and maybe others). I don't understand how would it make our instances vulnerable for this kind of attack as most (I hope all) are behind firewalls/VPN, can you explain? A work around would be to display |
@eeintech I get the frustration, the current solution is not ideal, but is a compromise to prevent a malicious user from inserting XSS attack into another users browser. Data gets sanitized on the server and then again when rendering. This double sanitization step makes the "chain of data" something like:
There is probably something that can be done about this, would require a bit of a deep dive to understand all the edge cases. There are multiple places where data gets rendered (in different ways):
Each would need separate consideration. |
@matmair I can see the appeal of keeping data "as entered" by the user wherever possible. Having e.g. I think we should look at augmenting our
Interesting thread: mozilla/bleach#192 |
@SchrodingersGat Thanks for looking into this. What about pre-existing names in Can company added through Admin section be allowed to carry this symbol? |
I would imagine that (if we can work out a fix here) it would only apply to new fields. Any instances of invalid characters would need to be manually updated.
Yes, you can adjust it this way. However it will display incorrectly if you ever edit the company again. |
Useful reference: https://benhoyt.com/writings/dont-sanitize-do-escape/ |
This article makes a lot of sense, I would vote to rethink the strategy of sanitizing as it compromises the database data with removing or replacing special chars. Again InvenTree instances are not public facing and I trust the people I work with, I don't see how this solve any security breach if the breach doesn't exist in the first place. |
We run a lot of the user input straight into sql queries (through all the Django ORM but the endresult is the same). I discovered this when I reviewed some of the more common attack surfaces.
That is not the case. If you know how to it takes only a few minutes. The hardcoded identifier in the base /api path does not help with that
This is not how modern security works and I hope whoever runs IT/OT sec at your workplace does not think like that. There are always Joiner / Mover in an org that are not really checked. One malicous data entry later you have a permantent shell in the network. Depending on the setup possibly even in the managment plane. The other solution is the just remove the second and third sanitzion layers by marking the strings as safe and adding validations to charfields that stop user from inputting data that will be sanitzied. That is more work but cleaner. |
I am a user willing to live with that, what are my options? All my half-baked arguments before are meant to show that I care about conserving the special chars/symbols and am willing to put our security to risk (this is my own choice and I will not hold InvenTree team responsible for that). Thanks. |
I am not going to give instruction on how to break essential security measures but maybe some else is willing to. |
We are not devs willing to support that ;) |
@eeintech dont get me wrong, we will find a way to support your case. It will just not be by breaking security. |
Great to hear. Btw this is not "my case" but I imagine applies to many users (most of them probably haven't noticed yet), I got word of this in Ki-nTree actions else I would not have stumbled on this anytime soon.
I do not understand enough about security to argue, but data integrity is more dear to me than security as I'm an optimistic and believe in people, at least the ones I work with (as we are a tiny company). I know it might be hard to grasp when sitting on the other side...
As long as you're not devs willing to compromise the integrity of our databases, I'm fine with that! |
The database integrity is fine - there are just additional input rules. |
How is the data integrity fine if you start replacing special chars |
On my side #3503 fixes it |
Please verify that this bug has NOT been raised before.
Describe the bug*
See title
Steps to Reproduce
Expected behavior
"&" should stay as-is
Deployment Method
Version Information
InvenTree-Version: 0.9.0 dev
Django Version: 3.2.15
Commit Hash: 964d674
Commit Date: 2022-08-08
Database: postgresql
Debug-Mode: False
Deployed using Docker: True
Active plugins: False
Relevant log output
No response
The text was updated successfully, but these errors were encountered: