From 5bd5a841d8e7c76658e14f83855fa71ed69f350d Mon Sep 17 00:00:00 2001
From: Rutuja Chaudhari <36963955+rutujaac@users.noreply.github.com>
Date: Thu, 12 Sep 2024 18:27:48 +0530
Subject: [PATCH] Fix Security Issues (#542)

* fix security issues
---
 .../src/components/applicationList.js          | 18 +++++++-----------
 .../pebblo-ui/src/components/snippetDetails.js | 18 +++++++-----------
 .../html_to_pdf_generator/report_generator.py  |  5 ++++-
 tests/reports/test_report_generator.py         | 10 ++++++++--
 4 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/pebblo/app/pebblo-ui/src/components/applicationList.js b/pebblo/app/pebblo-ui/src/components/applicationList.js
index 4aa7a7ab..6f4d865f 100644
--- a/pebblo/app/pebblo-ui/src/components/applicationList.js
+++ b/pebblo/app/pebblo-ui/src/components/applicationList.js
@@ -52,17 +52,13 @@ export function ApplicationsList(props) {
   function onChange(evt) {
     let filteredData;
     if (evt.target.value) {
-      filteredData = tableData?.filter((item) =>
-        eval(
-          searchField
-            ?.map((sch) =>
-              item[sch]
-                ?.toLocaleLowerCase()
-                ?.includes(evt.target.value.toLocaleLowerCase())
-            )
-            .join(" || ")
-        )
-      );
+      const searchValue = evt.target.value.toLocaleLowerCase();
+      filteredData = tableData?.filter((item) => {
+        const isMatch = searchField?.some((sch) =>
+          item[sch]?.toLocaleLowerCase()?.includes(searchValue)
+        );
+        return isMatch;
+      });
     } else {
       filteredData = tableData;
     }
diff --git a/pebblo/app/pebblo-ui/src/components/snippetDetails.js b/pebblo/app/pebblo-ui/src/components/snippetDetails.js
index c69bd33a..e7ced3ee 100644
--- a/pebblo/app/pebblo-ui/src/components/snippetDetails.js
+++ b/pebblo/app/pebblo-ui/src/components/snippetDetails.js
@@ -106,17 +106,13 @@ export function SnippetDetails(props) {
   function onChange(evt) {
     let filteredData;
     if (evt.target.value) {
-      filteredData = snippetList?.filter((item) =>
-        eval(
-          searchField
-            ?.map((sch) =>
-              item[sch]
-                ?.toLocaleLowerCase()
-                ?.includes(evt.target.value.toLocaleLowerCase())
-            )
-            .join(" || ")
-        )
-      );
+      const searchValue = evt.target.value.toLocaleLowerCase();
+      filteredData = snippetList?.filter((item) => {
+        const isMatch = searchField?.some((sch) =>
+          item[sch]?.toLocaleLowerCase()?.includes(searchValue)
+        );
+        return isMatch;
+      });
     } else {
       filteredData = snippetList;
     }
diff --git a/pebblo/reports/html_to_pdf_generator/report_generator.py b/pebblo/reports/html_to_pdf_generator/report_generator.py
index 45b0caf3..bd570d60 100644
--- a/pebblo/reports/html_to_pdf_generator/report_generator.py
+++ b/pebblo/reports/html_to_pdf_generator/report_generator.py
@@ -48,7 +48,10 @@ def convert_html_to_pdf(data, output_path, template_name, search_path, renderer)
     """Convert HTML Template to PDF by embedding JSON data"""
     try:
         template_loader = jinja2.FileSystemLoader(searchpath=search_path)
-        template_env = jinja2.Environment(loader=template_loader)
+        # autoescape is set to True to escape html characters to prevent security vulnerabilities
+        template_env = jinja2.Environment(
+            loader=template_loader, autoescape=jinja2.select_autoescape()
+        )
         template = template_env.get_template(template_name)
         current_date = datetime.datetime.now().strftime("%B %d, %Y")
         load_history_items = []
diff --git a/tests/reports/test_report_generator.py b/tests/reports/test_report_generator.py
index ffe7f6d0..b3df76a6 100644
--- a/tests/reports/test_report_generator.py
+++ b/tests/reports/test_report_generator.py
@@ -41,9 +41,12 @@ def test_identity_comma_separated(self):
         output_str = identity_comma_separated(self.authorizedIdentities)
         assert output_str == "demo-user-hr, demo-user-engg"
 
+    @patch("jinja2.select_autoescape", return_value=Mock())
     @patch("jinja2.Environment", return_value=Mock(get_template=Mock()))
     @patch("jinja2.FileSystemLoader")
-    def test_convert_html_to_pdf(self, mock_filesystem_loader, mock_environment):
+    def test_convert_html_to_pdf(
+        self, mock_filesystem_loader, mock_environment, mock_select_autoescape
+    ):
         """Test the convert_html_to_pdf function"""
         # Arrange
         data = {
@@ -68,10 +71,13 @@ def test_convert_html_to_pdf(self, mock_filesystem_loader, mock_environment):
             convert_html_to_pdf(data, output_path, template_name, search_path, renderer)
 
         # Assert
+        mock_autoescape = mock_select_autoescape.return_value
+        mock_environment.autoescape = mock_autoescape
         mock_filesystem_loader.assert_called_once_with(searchpath=search_path)
         mock_environment.assert_called_once_with(
-            loader=mock_filesystem_loader.return_value
+            loader=mock_filesystem_loader.return_value, autoescape=mock_autoescape
         )
+
         mock_environment.return_value.get_template.assert_called_once_with(
             template_name
         )