Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attempted to fix the email injection issue #9139

Closed
wants to merge 3 commits into from
Closed

attempted to fix the email injection issue #9139

wants to merge 3 commits into from

Conversation

ankitdey-marsh
Copy link

@ankitdey-marsh ankitdey-marsh commented Aug 3, 2024
edited by sourcery-ai bot
Loading

Fixes #9120

Short description of what this resolves: Used regex to limit the character set and sanitized the emails.

Changes proposed in this pull request:

  1. Used regular expressions, thus removing unnecessary characters that might be used by attackers for injection to the log file.
  2. Used 'bleach' library to sanitize the emails from cross site attacks.

Checklist

  • I have read the Contribution & Best practices Guide and my PR follows them.
  • [✔️ ] My branch is up-to-date with the Upstream development branch.
  • The unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • [✔️ ] I have added necessary documentation (if appropriate)
  • [ ✔️] All the functions created/modified in this PR contain relevant docstrings.

Summary by Sourcery

Fix email injection vulnerability by sanitizing email inputs and limiting character sets. Enhance code with type hints and improve password generation security.

Bug Fixes:

  • Fixed email injection vulnerability by using regular expressions to limit the character set and sanitizing emails with the 'bleach' library.

Enhancements:

  • Added type hints to various functions in the RocketChat class to improve code clarity and type safety.
  • Replaced the use of the 'random' module with the 'secrets' module for generating passwords to enhance security.

@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Aug 3, 2024
edited
Loading

Reviewer's Guide by Sourcery

This pull request addresses the email injection issue by implementing regex-based email validation and sanitization using the 'bleach' library. Additionally, it improves code security and clarity by adding type hints and replacing 'random' with 'secrets' for password generation. Error handling for password generation has also been enhanced.

File-Level Changes

Files Changes
app/api/chat/rocket_chat.py
app/api/auth.py		 Enhanced security by adding type hints, using 'secrets' for password generation, and implementing email validation and sanitization.
Tips
  • Trigger a new Sourcery review by commenting @sourcery-ai review on the pull request.
  • Continue your discussion with Sourcery by replying directly to review comments.
  • You can change your review settings at any time by accessing your dashboard:
    • Enable or disable the Sourcery-generated pull request summary or reviewer's guide;
    • Change the review language;
  • You can always contact us if you have any questions or feedback.

sourcery-ai[bot]
sourcery-ai bot reviewed Aug 3, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @ankitdey-marsh - I've reviewed your changes - here's some feedback:

Overall Comments:

  • Consider adding unit tests to verify the effectiveness of the email validation and sanitization changes.
  • Evaluate the performance impact of using the 'bleach' library for email sanitization, especially if it's applied to all email processing.
Here's what I looked at during the review
  • 🟡 General issues: 1 issue found
  • 🟡 Security: 1 issue found
  • 🟢 Testing: all looks good
  • 🟢 Complexity: all looks good
  • 🟢 Documentation: all looks good
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.

app/api/chat/rocket_chat.py
@@ -328,15 +330,21 @@ def add_in_room_virtual_room(
raise RocketChatException('Error while adding user', response=res)


def generate_pass(size=10, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def generate_pass(size=10, chars=string.digits + string.ascii_letters + string.punctuation)->str:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Consider using a more limited set of special characters for password generation

While including punctuation increases password strength, it might cause compatibility issues with some systems. Consider using a subset of special characters that are widely accepted.

Suggested change
def generate_pass(size=10, chars=string.digits + string.ascii_letters + string.punctuation)->str:
def generate_pass(size=10, chars=string.digits + string.ascii_letters + "!@#$%^&*()-_=+")->str:

app/api/auth.py
import re
from bleach import clean

EMAIL_REGEX = r"^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Email regex might be too restrictive for some valid email addresses

The current regex doesn't allow for some valid email formats, such as addresses with subdomains or certain allowed special characters. Consider using a more comprehensive regex or a dedicated email validation library.

import email_validator

def validate_email(email):
    try:
        email_validator.validate_email(email)
        return True
    except email_validator.EmailNotValidError:
        return False

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai Sourcery AI sourcery-ai left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Potential Log Injection in file app/api/auth.py
1 participant
@ankitdey-marsh