From ef1d2d29432c0d3a020e8c0c6461faf9de89c822 Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Sun, 11 Jun 2023 11:19:32 -0400
Subject: Sanitize user inputs

---
 Dockerfile |  2 ++
 src/app.py | 14 +++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e1f4b9a..e267b52 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,8 @@ RUN apt update -y && apt install -y \
   python3-flaskext.wtf \
   python3-requests \
   python3-wtforms \
+  python3-bleach \
+  python3-urllib3 \
   && apt clean \
   && rm -rf /var/cache/apt
 
diff --git a/src/app.py b/src/app.py
index 0560ea9..c51ed99 100644
--- a/src/app.py
+++ b/src/app.py
@@ -7,6 +7,8 @@ import pytz
 import flask
 import library
 import forms
+import bleach
+import urllib.parse
 
 app = flask.Flask(__name__)
 app.config['SECRET_KEY'] = "JAnmklasd39u2mnwim"
@@ -26,7 +28,7 @@ def check_submission(location, form):
 def index():
     form = forms.WeatherForm()
     if form.validate_on_submit():
-        location = form.location.data
+        location = bleach.clean(form.location.data)
         return check_submission(location, form)
     else:
         return flask.render_template("index.html", form=form)
@@ -34,7 +36,8 @@ def index():
 
 @ app.route('/weather', methods=('GET', 'POST'))
 def weather():
-    location = flask.request.args.get('location')
+    location = urllib.parse.quote_plus(
+        bleach.clean(flask.request.args.get('location', type=str)))
     latitude = flask.request.args.get('latitude', type=str)
     longitude = flask.request.args.get('longitude', type=str)
     data = library.get_data(latitude, longitude)
@@ -50,7 +53,7 @@ def weather():
         location_data = requests.get(url, headers=headers).json()["results"][0]
 
     if form.validate_on_submit():
-        location = form.location.data
+        location = urllib.parse.quote_plus(bleach.clean(form.location.data))
         return check_submission(location, form=form)
     else:
         return flask.render_template("weather.html", data=data, form=form, weather_codes=library.weather_codes, datetime=datetime,
@@ -60,7 +63,8 @@ def weather():
 
 @ app.route('/location', methods=('GET', 'POST'))
 def location():
-    location = flask.request.args.get('location', type=str)
+    location = urllib.parse.quote_plus(bleach.clean(
+        flask.request.args.get('location', type=str)))
     url = f"https://geocoding-api.open-meteo.com/v1/search?name={location}&count=10&language=en&format=json"
     headers = {"User-Agent": "pywttr 0.1"}
     data = requests.get(url, headers=headers).json()
@@ -79,7 +83,7 @@ def location():
     form.location.choices = choices
     form.location.default = choices[0]
     if form.is_submitted():
-        index = int(form.location.data)
+        index = int(bleach.clean(form.location.data))
         location_data = data["results"][index]
         latitude = location_data["latitude"]
         longitude = location_data["longitude"]
-- 
cgit v1.2.3