Fix regular expression check in new panel form (#4843)

* Fix regular expression check in new panel form * Sanitize panel ID before exporting the file * Stricter check of ID of newly created gene panels to prevent file downloading vulnerability * Add again the new pattern in the HTML check * tiny fix in changelog --------- Co-authored-by: Chiara Rasi <rasi.chiara@gmacil.com>
Clinical-Genomics · Sep 12, 2024 · f59e50f · f59e50f
1 parent 679c42e
commit f59e50f
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ About changelog [here](https://keepachangelog.com/en/1.0.0/)
 ### Fixed
 - Broken heading anchors in the documentation (`admin-guide/login-system.md` and `admin-guide/setup-scout.md` files)
 - Avoid open login redirect attacks by always redirecting to cases page upon user login
+- Stricter check of ID of gene panels to prevent file downloading vulnerability
 
 ## [4.88.1]
 ### Fixed

diff --git a/scout/server/blueprints/panels/controllers.py b/scout/server/blueprints/panels/controllers.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 import datetime as dt
 import logging
+import re
 
 from flask import flash, redirect
 from flask_login import current_user
@@ -309,9 +310,11 @@ def downloaded_panel_name(panel_obj, format) -> str:
     Returns:
         a string describing the panel
     """
+    sanitized_panel_id = re.sub(r"[^a-zA-Z_\-]+", "", panel_obj["panel_name"])
+
     return "_".join(
         [
-            panel_obj["panel_name"],
+            sanitized_panel_id,
             str(panel_obj["version"]),
             dt.datetime.now().strftime(DATE_DAY_FORMATTER),
             f"scout.{format}",

diff --git a/scout/server/blueprints/panels/templates/panels/panels.html b/scout/server/blueprints/panels/templates/panels/panels.html
@@ -109,7 +109,7 @@
           </div>
           <div class="col-sm-3 text-center">
               <input type="text" name="new_panel_name" class="form-control" placeholder="Panel ID" required
-                pattern="^[a-zA-Z0-9_-]*$" title="Only alphanumeric characters (A-Z+a-z+0-9), hyphens, and underscores allowed.">
+                pattern="[A-Za-z0-9_\-]+" title="Only alphanumeric characters (A-Z+a-z+0-9), hyphens, and underscores allowed.">
             </div>
             <div class="col-sm-4 text-center">
               <input type="text" name="display_name" class="form-control" placeholder="Full name">