Skip to content

Commit

Permalink
Fix Security Issues (#542)
Browse files Browse the repository at this point in the history 
* fix security issues
  • Loading branch information
@rutujaac
rutujaac authored Sep 12, 2024
1 parent 6d8e590 commit 5bd5a84
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 25 deletions.
18 changes: 7 additions & 11 deletions pebblo/app/pebblo-ui/src/components/applicationList.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,13 @@ export function ApplicationsList(props) {
function onChange(evt) {
let filteredData;
if (evt.target.value) {
filteredData = tableData?.filter((item) =>
eval(
searchField
?.map((sch) =>
item[sch]
?.toLocaleLowerCase()
?.includes(evt.target.value.toLocaleLowerCase())
)
.join(" || ")
)
);
const searchValue = evt.target.value.toLocaleLowerCase();
filteredData = tableData?.filter((item) => {
const isMatch = searchField?.some((sch) =>
item[sch]?.toLocaleLowerCase()?.includes(searchValue)
);
return isMatch;
});
} else {
filteredData = tableData;
}
Expand Down
18 changes: 7 additions & 11 deletions pebblo/app/pebblo-ui/src/components/snippetDetails.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,17 +106,13 @@ export function SnippetDetails(props) {
function onChange(evt) {
let filteredData;
if (evt.target.value) {
filteredData = snippetList?.filter((item) =>
eval(
searchField
?.map((sch) =>
item[sch]
?.toLocaleLowerCase()
?.includes(evt.target.value.toLocaleLowerCase())
)
.join(" || ")
)
);
const searchValue = evt.target.value.toLocaleLowerCase();
filteredData = snippetList?.filter((item) => {
const isMatch = searchField?.some((sch) =>
item[sch]?.toLocaleLowerCase()?.includes(searchValue)
);
return isMatch;
});
} else {
filteredData = snippetList;
}
Expand Down
5 changes: 4 additions & 1 deletion pebblo/reports/html_to_pdf_generator/report_generator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,10 @@ def convert_html_to_pdf(data, output_path, template_name, search_path, renderer)
"""Convert HTML Template to PDF by embedding JSON data"""
try:
template_loader = jinja2.FileSystemLoader(searchpath=search_path)
template_env = jinja2.Environment(loader=template_loader)
# autoescape is set to True to escape html characters to prevent security vulnerabilities
template_env = jinja2.Environment(
loader=template_loader, autoescape=jinja2.select_autoescape()
)
template = template_env.get_template(template_name)
current_date = datetime.datetime.now().strftime("%B %d, %Y")
load_history_items = []
Expand Down
10 changes: 8 additions & 2 deletions tests/reports/test_report_generator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,12 @@ def test_identity_comma_separated(self):
output_str = identity_comma_separated(self.authorizedIdentities)
assert output_str == "demo-user-hr, demo-user-engg"

@patch("jinja2.select_autoescape", return_value=Mock())
@patch("jinja2.Environment", return_value=Mock(get_template=Mock()))
@patch("jinja2.FileSystemLoader")
def test_convert_html_to_pdf(self, mock_filesystem_loader, mock_environment):
def test_convert_html_to_pdf(
self, mock_filesystem_loader, mock_environment, mock_select_autoescape
):
"""Test the convert_html_to_pdf function"""
# Arrange
data = {
Expand All @@ -68,10 +71,13 @@ def test_convert_html_to_pdf(self, mock_filesystem_loader, mock_environment):
convert_html_to_pdf(data, output_path, template_name, search_path, renderer)

# Assert
mock_autoescape = mock_select_autoescape.return_value
mock_environment.autoescape = mock_autoescape
mock_filesystem_loader.assert_called_once_with(searchpath=search_path)
mock_environment.assert_called_once_with(
loader=mock_filesystem_loader.return_value
loader=mock_filesystem_loader.return_value, autoescape=mock_autoescape
)

mock_environment.return_value.get_template.assert_called_once_with(
template_name
)
Expand Down

0 comments on commit 5bd5a84

Please sign in to comment.