Sanitize user inputsHEAD master

author: Sam Chudnick <sam@chudnick.com> 2023-06-11 11:19:32 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-06-11 11:19:32 -0400
commit: ef1d2d29432c0d3a020e8c0c6461faf9de89c822 (patch)
tree: 4575280a5f9a465ebe03573181d4e3f6c52471fc
parent: 386da379df831c5f3a467706c252c56781e473f5 (diff)
2 files changed, 11 insertions, 5 deletions
diff --git a/Dockerfile b/Dockerfile
index e1f4b9a..e267b52 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,8 @@ RUN apt update -y && apt install -y \
  python3-flaskext.wtf \
  python3-requests \
  python3-wtforms \
+  python3-bleach \
+  python3-urllib3 \
  && apt clean \
  && rm -rf /var/cache/apt
diff --git a/src/app.py b/src/app.py
index 0560ea9..c51ed99 100644
--- a/src/app.py
+++ b/src/app.py
@@ -7,6 +7,8 @@ import pytz
 import flask
 import library
 import forms
+import bleach
+import urllib.parse
 app = flask.Flask(__name__)
 app.config['SECRET_KEY'] = "JAnmklasd39u2mnwim"
@@ -26,7 +28,7 @@ def check_submission(location, form):
 def index():
    form = forms.WeatherForm()
    if form.validate_on_submit():
-        location = form.location.data
+        location = bleach.clean(form.location.data)
        return check_submission(location, form)
    else:
        return flask.render_template("index.html", form=form)
@@ -34,7 +36,8 @@ def index():
 @ app.route('/weather', methods=('GET', 'POST'))
 def weather():
-    location = flask.request.args.get('location')
+    location = urllib.parse.quote_plus(
+        bleach.clean(flask.request.args.get('location', type=str)))
    latitude = flask.request.args.get('latitude', type=str)
    longitude = flask.request.args.get('longitude', type=str)
    data = library.get_data(latitude, longitude)
@@ -50,7 +53,7 @@ def weather():
        location_data = requests.get(url, headers=headers).json()["results"][0]
    if form.validate_on_submit():
-        location = form.location.data
+        location = urllib.parse.quote_plus(bleach.clean(form.location.data))
        return check_submission(location, form=form)
    else:
        return flask.render_template("weather.html", data=data, form=form, weather_codes=library.weather_codes, datetime=datetime,
@@ -60,7 +63,8 @@ def weather():
 @ app.route('/location', methods=('GET', 'POST'))
 def location():
-    location = flask.request.args.get('location', type=str)
+    location = urllib.parse.quote_plus(bleach.clean(
+        flask.request.args.get('location', type=str)))
    url = f"https://geocoding-api.open-meteo.com/v1/search?name={location}&count=10&language=en&format=json"
    headers = {"User-Agent": "pywttr 0.1"}
    data = requests.get(url, headers=headers).json()
@@ -79,7 +83,7 @@ def location():
    form.location.choices = choices
    form.location.default = choices[0]
    if form.is_submitted():
-        index = int(form.location.data)
+        index = int(bleach.clean(form.location.data))
        location_data = data["results"][index]
        latitude = location_data["latitude"]
        longitude = location_data["longitude"]
author	Sam Chudnick <sam@chudnick.com>	2023-06-11 11:19:32 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-06-11 11:19:32 -0400
commit	ef1d2d29432c0d3a020e8c0c6461faf9de89c822 (patch)
tree	4575280a5f9a465ebe03573181d4e3f6c52471fc
parent	386da379df831c5f3a467706c252c56781e473f5 (diff)