Update Security.

2025-06-06 03:04:37 +02:00 · 2025-06-06 03:04:37 +02:00 · 1a034041ab
commit 1a034041ab
parent c60f9ff4d3
3 changed files with 25 additions and 3 deletions
--- a/src/snek/app.py
+++ b/src/snek/app.py
@ -62,6 +62,7 @@ from snek.webdav import WebdavApplication
 from snek.system.template import sanitize_html
 from snek.sgit import GitApplication
 SESSION_KEY = b"c79a0c5fda4b424189c427d28c9f7c34"
+from snek.system.template import whitelist_attributes


@web.middleware
@ -285,9 +286,9 @@ class Application(BaseApplication):
    
    async def handle_test(self, request):

-        return await self.render_template(
+        return await whitelist_attributes(self.render_template(
            "test.html", request, context={"name": "retoor"}
-        )
+        ))

    async def handle_http_get(self, request: web.Request):
        url = request.query.get("url")
@ -359,6 +360,8 @@ class Application(BaseApplication):

        self.jinja2_env.loader = self.original_loader
        
+        #rendered.text = whitelist_attributes(rendered.text)
+        #rendered.headers['Content-Lenght'] = len(rendered.text)
        return rendered


--- a/src/snek/service/channel_message.py
+++ b/src/snek/service/channel_message.py
@ -1,4 +1,5 @@
 from snek.system.service import BaseService
+from snek.system.template import whitelist_attributes


 class ChannelMessageService(BaseService):
@ -28,6 +29,7 @@ class ChannelMessageService(BaseService):
        try:
            template = self.app.jinja2_env.get_template("message.html")
            model["html"] = template.render(**context)
+            model["html"] = whitelist_attributes(model["html"])
        except Exception as ex:
            print(ex, flush=True)

--- a/src/snek/system/template.py
+++ b/src/snek/system/template.py
@ -121,6 +121,23 @@ def set_link_target_blank(text):
    
    return str(soup)

+SAFE_ATTRIBUTES = {
+    'href', 'src', 'alt', 'title', 'width', 'height', 'style', 'id', 'class', 
+    'rel', 'type', 'name', 'value', 'placeholder', 'aria-hidden', 'aria-label', 'srcset'
+}
+
+def whitelist_attributes(html):
+    soup = BeautifulSoup(html, 'html.parser')
+
+    for tag in soup.find_all():
+        if isinstance(tag, Tag):
+            attrs = dict(tag.attrs)
+            for attr in list(attrs):
+                # Check if attribute is in the safe list or is a data-* attribute
+                if not (attr in SAFE_ATTRIBUTES or attr.startswith('data-')):
+                    del tag.attrs[attr]
+    return str(soup)
+

 def embed_youtube(text):
    soup = BeautifulSoup(text, "html.parser")