arsmentis / coldfront Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ubccr/coldfront
HPC Resource Allocation System
License: GNU General Public License v3.0
This project forked from ubccr/coldfront
HPC Resource Allocation System
License: GNU General Public License v3.0
Originally mentioned by @dmr-x in context of #4
The Add Publications feature (via search*) trusts the client's POST data from the search-results form. A slightly technically inclined user may change the data (publication title, author, etc.) in the form, and that altered data will simply be trusted and added to the database.
In the worst case, since the doi (or other id) forms part of a URL, this user would be able to change the URL used for the publication, potentially affecting all users in the project or others (admin, staff) that click on it.
doi.org
for example provides a service that automatically redirects the browser to the publication's target page. A malicious user could create a doi pointing to a malicious page (or exploit an existing doi's target), thereby launching an attack; such as phishing, a XSS-vulnerable page, a browser exploit, etc.
This is admittedly unlikely, and adding a publication to a given project is already gated by user permission.
*NOTE: this is a pre-existing problem, and not a result of the feature in PR #4.
Buggy code snippet:
coldfront/coldfront/core/publication/views.py
Lines 181 to 203 in f65d239
Estimate to fix:
4 hours
Originally posted by @dmr-x in #4 (comment) - text modified for context
POST /publication/project/{project}/delete-publications/
fails for almost-duplicate publications.
The Delete Publications feature does not make use of guaranteed uniqueness in selecting publications to delete, but rather pulls them by Title and Year.
Additionally, the view showing these publications does not present enough detail to the user to know the difference between them.
Buggy code snippet:
coldfront/coldfront/core/publication/views.py
Lines 287 to 292 in f65d239
objects.get()
implicitly requires 1 result and raises an exception if more match.
Estimate to fix:
6 hours
Originally mentioned by @dmr-x in context of #4
The Add Publications feature (via search*) makes use of python eval()
directly on POST data. Use of eval()
is often insecure, and use of it on user-controlled input is definitely insecure.
*NOTE: this is a pre-existing problem, and not a result of the feature in PR #4.
Buggy code snippet:
coldfront/coldfront/core/publication/views.py
Lines 181 to 183 in f65d239
eval()
. json.dumps()
and json.loads()
are probably easiest.Estimate to fix:
4 hours
*relevant commits:
9c8ae3f
Use of static analysis tools, such as bandit
, could easily identify similar issues during development.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.