From be89ea7098141a0b198d599319c044734b26f4a2 Mon Sep 17 00:00:00 2001
From: a-ruskomaa <48881971+a-ruskomaa@users.noreply.github.com>
Date: Mon, 8 Feb 2021 10:18:14 +0200
Subject: [PATCH 1/4] Set target directory relative to
---
.gitlab-ci.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d324eb5..570e877 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -96,7 +96,7 @@ staging:
image: google/cloud-sdk:alpine
script:
- echo $CONFIG_VARS
- - cp $CONFIG_VARS ./config/config.py
+ - cp $CONFIG_VARS ${CI_PROJECT_DIR}/config/config.py
- echo $SERVICE_ACCOUNT > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud --quiet --project $PROJECT_ID app deploy app-staging.yaml
@@ -113,7 +113,7 @@ deploy:
image: google/cloud-sdk:alpine
script:
- echo $CONFIG_VARS
- - cp $CONFIG_VARS ./config/config.py
+ - cp $CONFIG_VARS ${CI_PROJECT_DIR}/config/config.py
- echo $SERVICE_ACCOUNT > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud --quiet --project $PROJECT_ID app deploy app.yaml
--
GitLab
From 481d8361fc3ac9f635a352cae748abb4118bc715 Mon Sep 17 00:00:00 2001
From: a-ruskomaa <48881971+a-ruskomaa@users.noreply.github.com>
Date: Mon, 8 Feb 2021 10:24:06 +0200
Subject: [PATCH 2/4] Add empty config file so the config folder exists on
build time
---
.gitignore | 2 +-
config/default-config.py | 0
2 files changed, 1 insertion(+), 1 deletion(-)
create mode 100644 config/default-config.py
diff --git a/.gitignore b/.gitignore
index 20bca13..2fd3cc3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -141,4 +141,4 @@ package-lock.json
TODO.txt
-config/
\ No newline at end of file
+config.py
\ No newline at end of file
diff --git a/config/default-config.py b/config/default-config.py
new file mode 100644
index 0000000..e69de29
--
GitLab
From d21061fdf92cf2a05028f5f4ea7117b7042611b9 Mon Sep 17 00:00:00 2001
From: a-ruskomaa <48881971+a-ruskomaa@users.noreply.github.com>
Date: Mon, 8 Feb 2021 17:47:39 +0200
Subject: [PATCH 3/4] Fix two critical bugs that would allow user to inject
arbitrary scripts as hive names.
---
api/services/datastore.py | 26 ++++++++++++++++++--------
static/map.js | 10 +++++-----
2 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/api/services/datastore.py b/api/services/datastore.py
index 8125588..acbb726 100644
--- a/api/services/datastore.py
+++ b/api/services/datastore.py
@@ -1,7 +1,7 @@
from flask.globals import request
from flask.helpers import make_response
from google.cloud import datastore
-from flask import jsonify
+from flask import jsonify, Markup
import os
import time
import logging
@@ -14,7 +14,8 @@ def store_location(data):
# Try validating the entity
try:
- validate(data)
+ sanitated_data = _sanitate_data(data)
+ validate(sanitated_data)
except ValidationError:
raise
@@ -31,13 +32,13 @@ def store_location(data):
#Update hive data to entity
datastore_entity.update({
- 'name': data["name"],
+ 'name': sanitated_data["name"],
'timestamp': timestamp,
- 'lat': data["lat"],
- 'lng': data["lng"],
- 'person': data["person"],
- 'keeper': data["keeper"],
- 'email': data["email"]
+ 'lat': sanitated_data["lat"],
+ 'lng': sanitated_data["lng"],
+ 'person': sanitated_data["person"],
+ 'keeper': sanitated_data["keeper"],
+ 'email': sanitated_data["email"]
})
#Store the info to datastore
@@ -119,6 +120,15 @@ def edit_location(data):
return entity
+def _sanitate_data(data: dict):
+ data_cp = data.copy()
+
+ for key, value in data_cp.items():
+ if type(value) is str:
+ data_cp[key] = Markup.striptags(value)
+
+ return data_cp
+
def _get_datastore_client(default_namespace: bool = False):
"""Instantiates a new datastore client. The client's namespace is set to match the value
diff --git a/static/map.js b/static/map.js
index 3008313..3c46eca 100644
--- a/static/map.js
+++ b/static/map.js
@@ -144,21 +144,21 @@ async function submitSuggestion(name, person, keeper, email) {
const popup = selectionMarker.getPopup()
try {
- popup.setContent("Saving the suggested place...")
+ popup.setContent(updatePopupContent("Saving the suggested place..."))
const response_json = await saveLocation(data)
const suggestion = response_json
const addedMarker = saveSuggestion(lat, lng, suggestion)
- popup.setContent("Suggestion saved succesfully!");
+ popup.setContent(updatePopupContent("Suggestion saved succesfully!"))
addedMarker.bindPopup(popup).openPopup();
setTimeout(() => {
addedMarker.closePopup()
- popup.setContent(suggestion.name)
+ popup.setContent(updatePopupContent(suggestion.name))
}, 3000)
} catch (error) {
- popup.setContent("Error, please try again!")
+ popup.setContent(updatePopupContent("Error, please try again!"))
console.log(error)
}
}
@@ -211,7 +211,7 @@ async function initializeMarkers() {
const lat = suggestion.lat
const lng = suggestion.lng
const marker = addMarker(lat, lng)
- const popup = L.popup().setContent(suggestion.name)
+ const popup = L.popup().setContent(updatePopupContent(suggestion.name))
marker.bindPopup(popup)
});
} catch (e) {
--
GitLab
From 38b4635a65eb6bfbe74422aa3cf659583e1d5a75 Mon Sep 17 00:00:00 2001
From: a-ruskomaa <48881971+a-ruskomaa@users.noreply.github.com>
Date: Mon, 8 Feb 2021 18:27:59 +0200
Subject: [PATCH 4/4] Add debug logging to datastore code
---
api/services/datastore.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/api/services/datastore.py b/api/services/datastore.py
index acbb726..3dcca02 100644
--- a/api/services/datastore.py
+++ b/api/services/datastore.py
@@ -142,8 +142,11 @@ def _get_datastore_client(default_namespace: bool = False):
if os.getenv('GAE_ENV', '').startswith('standard'):
if default_namespace:
client = datastore.Client(namespace=None)
+ logging.info(f"Instantiating datastore client with default namespace")
else:
- datastore.Client(namespace=os.getenv('GAE_SERVICE'))
+ namespace=os.getenv('GAE_SERVICE')
+ datastore.Client(namespace=namespace)
+ logging.info(f"Instantiating datastore client with namespace: {namespace}")
else:
# If running on local machine or testing environment
os.environ["DATASTORE_PROJECT_ID"] = "emulated-project"
--
GitLab