moved cleaning to create where possible. Changed nh_safe to safe as we assume everything was cleaned in the first place

2025-11-06 09:46:30 +13:00
parent c663eaf7bd
commit 4524b8fdf3
49 changed files with 232 additions and 263 deletions
--- a/epdb/logic.py
+++ b/epdb/logic.py
@ -4,6 +4,7 @@ import json
 from typing import Union, List, Optional, Set, Dict, Any
 from uuid import UUID

+import nh3
 from django.contrib.auth import get_user_model
 from django.db import transaction
 from django.conf import settings as s
@ -184,6 +185,12 @@ class UserManager(object):
    def create_user(
        username, email, password, set_setting=True, add_to_group=True, *args, **kwargs
    ):
+        # Clean for potential XSS
+        clean_username = nh3.clean(username).strip()
+        clean_email = nh3.clean(email).strip()
+        if clean_username != username or clean_email != email:
+            # This will be caught by the try in view.py/register
+            raise ValueError("Invalid username or password")
        # avoid circular import :S
        from .tasks import send_registration_mail

@ -261,8 +268,9 @@ class GroupManager(object):
    @staticmethod
    def create_group(current_user, name, description):
        g = Group()
-        g.name = name
-        g.description = description
+        # Clean for potential XSS
+        g.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+        g.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip()
        g.owner = current_user
        g.save()

@ -517,8 +525,9 @@ class PackageManager(object):
    @transaction.atomic
    def create_package(current_user, name: str, description: str = None):
        p = Package()
-        p.name = name
-        p.description = description
+        # Clean for potential XSS
+        p.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+        p.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip()
        p.save()

        up = UserPackagePermission()
@ -1051,28 +1060,29 @@ class SettingManager(object):
        model: EPModel = None,
        model_threshold: float = None,
    ):
-        s = Setting()
-        s.name = name
-        s.description = description
-        s.max_nodes = max_nodes
-        s.max_depth = max_depth
-        s.model = model
-        s.model_threshold = model_threshold
+        new_s = Setting()
+        # Clean for potential XSS
+        new_s.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip()
+        new_s.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip()
+        new_s.max_nodes = max_nodes
+        new_s.max_depth = max_depth
+        new_s.model = model
+        new_s.model_threshold = model_threshold

-        s.save()
+        new_s.save()

        if rule_packages is not None:
            for r in rule_packages:
-                s.rule_packages.add(r)
-            s.save()
+                new_s.rule_packages.add(r)
+            new_s.save()

        usp = UserSettingPermission()
        usp.user = user
-        usp.setting = s
+        usp.setting = new_s
        usp.permission = Permission.ALL[0]
        usp.save()

-        return s
+        return new_s

    @staticmethod
    def get_default_setting(user: User):