beenull/simple-login
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Sanitized missing places

Browse source
This commit is contained in:
Adrià Casajús 2022-03-29 18:03:18 +02:00
parent 8963a92f30
commit e91fd26964
No known key found for this signature in database
GPG key ID: F0033226A5AFC9B9
6 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/auth/views/fido.py
View file

@ -23,6 +23,7 @@ from app.db import Session
from app.extensions import limiter from app.extensions import limiter
from app.log import LOG from app.log import LOG
from app.models import User, Fido, MfaBrowser from app.models import User, Fido, MfaBrowser
from app.utils import sanitize_next_url
class FidoTokenForm(FlaskForm): class FidoTokenForm(FlaskForm):
@ -54,7 +55,7 @@ def fido():
auto_activate = True auto_activate = True
fido_token_form = FidoTokenForm() fido_token_form = FidoTokenForm()
next_url = request.args.get("next") next_url = sanitize_next_url(request.args.get("next"))
if request.cookies.get("mfa"): if request.cookies.get("mfa"):
browser = MfaBrowser.get_by(token=request.cookies.get("mfa")) browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))

6
app/auth/views/github.py
View file

@ -7,7 +7,7 @@ from app.config import GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, URL
from app.db import Session from app.db import Session
from app.log import LOG from app.log import LOG
from app.models import User, SocialAuth from app.models import User, SocialAuth
from app.utils import encode_url, sanitize_email from app.utils import encode_url, sanitize_email, sanitize_next_url
_authorization_base_url = "https://github.com/login/oauth/authorize" _authorization_base_url = "https://github.com/login/oauth/authorize"
_token_url = "https://github.com/login/oauth/access_token" _token_url = "https://github.com/login/oauth/access_token"
@ -19,7 +19,7 @@ _redirect_uri = URL + "/auth/github/callback"
@auth_bp.route("/github/login") @auth_bp.route("/github/login")
def github_login(): def github_login():
next_url = request.args.get("next") next_url = sanitize_next_url(request.args.get("next"))
if next_url: if next_url:
redirect_uri = _redirect_uri + "?next=" + encode_url(next_url) redirect_uri = _redirect_uri + "?next=" + encode_url(next_url)
else: else:
@ -97,6 +97,6 @@ def github_callback():
Session.commit() Session.commit()
# The activation link contains the original page, for ex authorize page # The activation link contains the original page, for ex authorize page
next_url = request.args.get("next") if request.args else None next_url = sanitize_next_url(request.args.get("next")) if request.args else None
return after_login(user, next_url) return after_login(user, next_url)

3
app/auth/views/mfa.py
View file

@ -19,6 +19,7 @@ from app.db import Session
from app.email_utils import send_invalid_totp_login_email from app.email_utils import send_invalid_totp_login_email
from app.extensions import limiter from app.extensions import limiter
from app.models import User, MfaBrowser from app.models import User, MfaBrowser
from app.utils import sanitize_next_url
class OtpTokenForm(FlaskForm): class OtpTokenForm(FlaskForm):
@ -48,7 +49,7 @@ def mfa():
return redirect(url_for("auth.login")) return redirect(url_for("auth.login"))
otp_token_form = OtpTokenForm() otp_token_form = OtpTokenForm()
next_url = request.args.get("next") next_url = sanitize_next_url(request.args.get("next"))
if request.cookies.get("mfa"): if request.cookies.get("mfa"):
browser = MfaBrowser.get_by(token=request.cookies.get("mfa")) browser = MfaBrowser.get_by(token=request.cookies.get("mfa"))

3
app/auth/views/recovery.py
View file

@ -11,6 +11,7 @@ from app.email_utils import send_invalid_totp_login_email
from app.extensions import limiter from app.extensions import limiter
from app.log import LOG from app.log import LOG
from app.models import User, RecoveryCode from app.models import User, RecoveryCode
from app.utils import sanitize_next_url
class RecoveryForm(FlaskForm): class RecoveryForm(FlaskForm):
@ -37,7 +38,7 @@ def recovery_route():
return redirect(url_for("auth.login")) return redirect(url_for("auth.login"))
recovery_form = RecoveryForm() recovery_form = RecoveryForm()
next_url = request.args.get("next") next_url = sanitize_next_url(request.args.get("next"))
if recovery_form.validate_on_submit(): if recovery_form.validate_on_submit():
code = recovery_form.code.data code = recovery_form.code.data

3
app/dashboard/views/enter_sudo.py
View file

@ -8,6 +8,7 @@ from wtforms import PasswordField, validators
from app.dashboard.base import dashboard_bp from app.dashboard.base import dashboard_bp
from app.log import LOG from app.log import LOG
from app.utils import sanitize_next_url
_SUDO_GAP = 900 _SUDO_GAP = 900
@ -28,7 +29,7 @@ def enter_sudo():
session["sudo_time"] = int(time()) session["sudo_time"] = int(time())
# User comes to sudo page from another page # User comes to sudo page from another page
next_url = request.args.get("next") next_url = sanitize_next_url(request.args.get("next"))
if next_url: if next_url:
LOG.d("redirect user to %s", next_url) LOG.d("redirect user to %s", next_url)
return redirect(next_url) return redirect(next_url)

4
app/oauth/views/authorize.py
View file

@ -30,7 +30,7 @@ from app.oauth_models import (
SUPPORTED_OPENID_FLOWS_STR, SUPPORTED_OPENID_FLOWS_STR,
response_types_to_str, response_types_to_str,
) )
from app.utils import random_string, encode_url from app.utils import random_string, encode_url, sanitize_next_url
@oauth_bp.route("/authorize", methods=["GET", "POST"]) @oauth_bp.route("/authorize", methods=["GET", "POST"])
@ -45,7 +45,7 @@ def authorize():
oauth_client_id = request.args.get("client_id") oauth_client_id = request.args.get("client_id")
state = request.args.get("state") state = request.args.get("state")
scope = request.args.get("scope") scope = request.args.get("scope")
redirect_uri = request.args.get("redirect_uri") redirect_uri = sanitize_next_url(request.args.get("redirect_uri"))
response_mode = request.args.get("response_mode") response_mode = request.args.get("response_mode")
nonce = request.args.get("nonce") nonce = request.args.get("nonce")