[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes

- All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future.
- All names and descriptions now use the template tag `nh_safe` in all html files.
- Usernames and emails are a small exception and are not allowed any html tags

Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com>
Co-authored-by: jebus <lorsbach@envipath.com>
Co-authored-by: Tim Lorsbach <tim@lorsba.ch>
Reviewed-on: enviPath/enviPy#171
Reviewed-by: jebus <lorsbach@envipath.com>
Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz>
Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>

epdb/logic.py

@@ -4,6 +4,7 @@ import json
 from typing import Union, List, Optional, Set, Dict, Any
 from uuid import UUID
 
+import nh3
 from django.contrib.auth import get_user_model
 from django.db import transaction
 from django.conf import settings as s
@@ -185,6 +186,12 @@ class UserManager(object):
     def create_user(
         username, email, password, set_setting=True, add_to_group=True, *args, **kwargs
     ):
+        # Clean for potential XSS
+        clean_username = nh3.clean(username).strip()
+        clean_email = nh3.clean(email).strip()
+        if clean_username != username or clean_email != email:
+            # This will be caught by the try in view.py/register
+            raise ValueError("Invalid username or password")
         # avoid circular import :S
         from .tasks import send_registration_mail
 
@@ -262,8 +269,9 @@ class GroupManager(object):
     @staticmethod
     def create_group(current_user, name, description):
         g = Group()
-        g.name = name
-        g.description = description
+        # Clean for potential XSS
+        g.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+        g.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip()
         g.owner = current_user
         g.save()
 
@@ -518,8 +526,13 @@ class PackageManager(object):
     @transaction.atomic
     def create_package(current_user, name: str, description: str = None):
         p = Package()
-        p.name = name
-        p.description = description
+
+        # Clean for potential XSS
+        p.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+
+        if description is not None and description.strip() != "":
+            p.description = nh3.clean(description.strip(), tags=s.ALLOWED_HTML_TAGS).strip()
+
         p.save()
 
         up = UserPackagePermission()
@@ -1094,28 +1107,29 @@ class SettingManager(object):
         model: EPModel = None,
         model_threshold: float = None,
     ):
-        s = Setting()
-        s.name = name
-        s.description = description
-        s.max_nodes = max_nodes
-        s.max_depth = max_depth
-        s.model = model
-        s.model_threshold = model_threshold
+        new_s = Setting()
+        # Clean for potential XSS
+        new_s.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+        new_s.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip()
+        new_s.max_nodes = max_nodes
+        new_s.max_depth = max_depth
+        new_s.model = model
+        new_s.model_threshold = model_threshold
 
-        s.save()
+        new_s.save()
 
         if rule_packages is not None:
             for r in rule_packages:
-                s.rule_packages.add(r)
-            s.save()
+                new_s.rule_packages.add(r)
+            new_s.save()
 
         usp = UserSettingPermission()
         usp.user = user
-        usp.setting = s
+        usp.setting = new_s
         usp.permission = Permission.ALL[0]
         usp.save()
 
-        return s
+        return new_s
 
     @staticmethod
     def get_default_setting(user: User):
@@ -1542,7 +1556,9 @@ class SPathway(object):
                 if sub.app_domain_assessment is None:
                     if self.prediction_setting.model:
                         if self.prediction_setting.model.app_domain:
-                            app_domain_assessment = self.prediction_setting.model.app_domain.assess(sub.smiles)
+                            app_domain_assessment = self.prediction_setting.model.app_domain.assess(
+                                sub.smiles
+                            )
 
                             if self.persist is not None:
                                 n = self.snode_persist_lookup[sub]
@@ -1574,7 +1590,9 @@ class SPathway(object):
                                     app_domain_assessment = None
                                     if self.prediction_setting.model:
                                         if self.prediction_setting.model.app_domain:
-                                            app_domain_assessment = (self.prediction_setting.model.app_domain.assess(c))
+                                            app_domain_assessment = (
+                                                self.prediction_setting.model.app_domain.assess(c)
+                                            )
 
                                     self.smiles_to_node[c] = SNode(
                                         c, sub.depth + 1, app_domain_assessment