diff options
| author | 하태준/개발플랫폼팀/L4/ <taejun-ha@users.noreply.github.sec.samsung.net> | 2017-09-19 10:54:00 +0900 |
|---|---|---|
| committer | GitHub Enterprise <noreply-CODE@samsung.com> | 2017-09-19 10:54:00 +0900 |
| commit | 18eca76ee32689b2ab3aeaf4db19b48df24b2205 (patch) | |
| tree | 40f8007307e787c8466580a8436c387f0137e98b | |
| parent | 2aff3f4a6b71fa4b8c72cb86d376ff22d33f36c7 (diff) | |
| parent | 4cc43b234ca1e292865e4b31638cd896c7d11c82 (diff) | |
| download | tic-core-18eca76ee32689b2ab3aeaf4db19b48df24b2205.tar.gz tic-core-18eca76ee32689b2ab3aeaf4db19b48df24b2205.tar.bz2 tic-core-18eca76ee32689b2ab3aeaf4db19b48df24b2205.zip | |
Merge pull request #12 from cw1-shin/TPE-322
[TPE-322] Fix cross side scripting issue
| -rw-r--r-- | tic/parser/repo_parser.py | 15 | ||||
| -rw-r--r-- | tic/utils/misc.py | 15 |
2 files changed, 23 insertions, 7 deletions
diff --git a/tic/parser/repo_parser.py b/tic/parser/repo_parser.py index 82eedc4..1b68dfa 100644 --- a/tic/parser/repo_parser.py +++ b/tic/parser/repo_parser.py @@ -21,6 +21,7 @@ from lxml import etree from tic.utils.error import TICError from tic.utils.rpmmisc import archPolicies, default_arch, compare_ver from tic.utils.log import Logger +from tic.utils.misc import sanitize_text, sanitize_digit from tic.config import configmgr # meta pkg @@ -84,8 +85,9 @@ class RepodataParser(object): pkg_id += 1 pkg_info['name'] = pkg_name pkg_info['arch'] = pkg.findtext(tag_dic['arch']) - pkg_info['summary'] = pkg.findtext(tag_dic['summary']) pkg_info['selfChecked'] = False # for web-ui tree + pkg_info['summary'] = sanitize_text(pkg.findtext(tag_dic['summary'])) + pkg_info['description'] = sanitize_text(pkg.findtext(tag_dic['description'])) # Parsing meta-pkg using meta naming rule meta_match = META_PATTERN.search(pkg_info['name']) if meta_match is not None: @@ -123,16 +125,15 @@ class RepodataParser(object): pkg_info['profile'] = None ver_tag = pkg.find(tag_dic['version']) - pkg_info['version'] = {'epoch': ver_tag.attrib['epoch'], - 'ver': ver_tag.attrib['ver'], - 'rel': ver_tag.attrib['rel']} + pkg_info['version'] = {'epoch': sanitize_text(ver_tag.attrib['epoch']), + 'ver': sanitize_text(ver_tag.attrib['ver']), + 'rel': sanitize_text(ver_tag.attrib['rel'])} repo_pkg[pkg_name] = pkg_info['version'] pkg_info['checksum'] = pkg.findtext(tag_dic['checksum']) - pkg_info['description'] = pkg.findtext(tag_dic['description']) pkg_info['location'] = pkg.find(tag_dic['location']).attrib['href'] size_tag = pkg.find(tag_dic['size']) - pkg_info['size'] = size_tag.attrib['package'] - pkg_info['installed'] = size_tag.attrib['installed'] + pkg_info['size'] = sanitize_digit(size_tag.attrib['package']) + pkg_info['installed'] = sanitize_digit(size_tag.attrib['installed']) format_tag = pkg.find(tag_dic['format']) if format_tag is not None: diff --git a/tic/utils/misc.py b/tic/utils/misc.py index 4270c59..be5259c 100644 --- a/tic/utils/misc.py +++ b/tic/utils/misc.py @@ -17,5 +17,20 @@ # - S-Core Co., Ltd import time +import re + + +# XSS Pattern +SANITIZE_PATTION = re.compile('[<>()\'\"\/]') get_timestamp = lambda: int(round(time.time() * 1000)) + +def sanitize_text(text): + return SANITIZE_PATTION.sub('', text) + + +def sanitize_digit(number): + if str.isdigit(number): + return number + return '0' + |