Use bleach_allowlist.generally_xss_unsafe

when searching for potentially dangerous files.
kiwitcms · Jun 5, 2023 · 700e9f9 · 700e9f9
1 parent d789f4b
commit 700e9f9
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 31 deletions.
diff --git a/tcms/kiwi_attachments/tests/test_validators.py b/tcms/kiwi_attachments/tests/test_validators.py
@@ -21,7 +21,8 @@ def test_uploading_svg_with_inline_script_should_fail(self, file_name):
         with open(f"tests/ui/data/{file_name}", "rb") as svg_file:
             b64 = base64.b64encode(svg_file.read()).decode()
 
-            message = str(_("File contains forbidden <script> tag"))
+            tag_name = "script"
+            message = str(_(f"File contains forbidden tag: <{tag_name}>"))
             with self.assertRaisesRegex(Fault, message):
                 self.rpc_client.User.add_attachment("inline_javascript.svg", b64)
 
@@ -34,7 +35,8 @@ def test_uploading_svg_with_forbidden_attributes_should_fail(self, file_name):
         with open(f"tests/ui/data/{file_name}", "rb") as svg_file:
             b64 = base64.b64encode(svg_file.read()).decode()
 
-            message = str(_("File contains forbidden attribute:"))
+            attr_name = "onload"
+            message = str(_(f"File contains forbidden attribute: `{attr_name}`"))
             with self.assertRaisesRegex(Fault, message):
                 self.rpc_client.User.add_attachment("image.svg", b64)
 

diff --git a/tcms/kiwi_attachments/validators.py b/tcms/kiwi_attachments/validators.py
@@ -1,14 +1,19 @@
+from bleach_allowlist import generally_xss_unsafe
 from django.forms import ValidationError
 from django.utils.translation import gettext_lazy as _
 
 
 def deny_uploads_containing_script_tag(uploaded_file):
     for chunk in uploaded_file.chunks(2048):
-        if chunk.lower().find(b"<script") > -1:
-            raise ValidationError(_("File contains forbidden <script> tag"))
+        for tag_name in generally_xss_unsafe:
+            if chunk.lower().find(b"<" + tag_name.encode()) > -1:
+                raise ValidationError(_(f"File contains forbidden tag: <{tag_name}>"))
 
-        if chunk.lower().find(b"onload=") > -1:
-            raise ValidationError(_("File contains forbidden attribute:") + "onload")
+        for attr_name in ("onload",):
+            if chunk.lower().find(attr_name.encode() + b"=") > -1:
+                raise ValidationError(
+                    _(f"File contains forbidden attribute: `{attr_name}`")
+                )
 
 
 def deny_uploads_ending_in_dot_exe(uploaded_file):

diff --git a/tcms/locale/en/LC_MESSAGES/django.po b/tcms/locale/en/LC_MESSAGES/django.po
@@ -476,11 +476,17 @@ msgid ""
 "href=\"%(doc_url)s\">documentation</a> and enable SSL."
 msgstr ""
 
-#: tcms/kiwi_attachments/validators.py:8
-msgid "File contains forbidden <script> tag"
+#: tcms/kiwi_attachments/validators.py:11
+#, python-brace-format
+msgid "File contains forbidden tag: <{tag_name}>"
+msgstr ""
+
+#: tcms/kiwi_attachments/validators.py:15
+#, python-brace-format
+msgid "File contains forbidden attribute: `{attr_name}`"
 msgstr ""
 
-#: tcms/kiwi_attachments/validators.py:12
+#: tcms/kiwi_attachments/validators.py:19
 msgid "Uploading executable files is forbidden"
 msgstr ""
 

diff --git a/tests/ui/data/inline_javascript.svg b/tests/ui/data/inline_javascript.svg
diff --git a/tests/ui/data/inline_javascript_mixed_case.svg b/tests/ui/data/inline_javascript_mixed_case.svg