From 9db0e25097b66bf69b33114f3f196f519fae1663 Mon Sep 17 00:00:00 2001
From: msaf1980 <msaf1980@gmail.com>
Date: Wed, 26 Oct 2022 11:53:24 +0500
Subject: [PATCH 1/2] tests for XSS

---
 webapp/tests/base.py     | 12 ++++++++++++
 webapp/tests/test_xss.py | 42 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 webapp/tests/test_xss.py

diff --git a/webapp/tests/base.py b/webapp/tests/base.py
index 3039513cc..512e1e6d3 100644
--- a/webapp/tests/base.py
+++ b/webapp/tests/base.py
@@ -5,3 +5,15 @@
 class TestCase(OriginalTestCase):
     def tearDown(self):
         stop_pools()
+
+    # Assert that a response is unsanitized (for check XSS issues)
+    def assertXSS(self, response, status_code=200, msg_prefix=''):
+        if status_code is not None:
+            self.assertEqual(
+                response.status_code, status_code,
+                msg_prefix + "Couldn't retrieve content: Response code was %d"
+                " (expected %d)" % (response.status_code, status_code)
+            )
+
+        xss = response.content.find(b"<") != -1 or response.content.find(b">") != -1
+        self.assertFalse(xss, msg=msg_prefix+str(response.content))
diff --git a/webapp/tests/test_xss.py b/webapp/tests/test_xss.py
new file mode 100644
index 000000000..7a3a2c9b7
--- /dev/null
+++ b/webapp/tests/test_xss.py
@@ -0,0 +1,42 @@
+import logging
+import sys
+
+try:
+    from django.urls import reverse
+except ImportError:  # Django < 1.10
+    from django.core.urlresolvers import reverse
+
+from .base import TestCase
+
+# Silence logging during tests
+LOGGER = logging.getLogger()
+
+# logging.NullHandler is a python 2.7ism
+if hasattr(logging, "NullHandler"):
+    LOGGER.addHandler(logging.NullHandler())
+
+if sys.version_info[0] >= 3:
+    def resp_text(r):
+        return r.content.decode('utf-8')
+else:
+    def resp_text(r):
+        return r.content
+
+
+class RenderXSSTest(TestCase):
+    def test_render_xss(self):
+        url = reverse('render')
+        xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
+
+        # Check for issue #2779 and others
+        response = self.client.get(url, {'target': 'test', 'format': 'raw', 'cacheTimeout': xssStr, 'from': xssStr})
+        self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')
+
+
+class FindXSSTest(TestCase):
+    def test_render_xss(self):
+        url = reverse('metrics_find')
+        xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
+
+        response = self.client.get(url, {'query': 'test', 'local': xssStr, 'from': xssStr, 'tz': xssStr})
+        self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')

From 4a77d4324b8f804fe381035079720d78dc1bca03 Mon Sep 17 00:00:00 2001
From: msaf1980 <msaf1980@gmail.com>
Date: Wed, 26 Oct 2022 11:54:00 +0500
Subject: [PATCH 2/2] sanitize error output for prevent XSS issues

---
 webapp/graphite/errors.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/webapp/graphite/errors.py b/webapp/graphite/errors.py
index 289541798..144946309 100644
--- a/webapp/graphite/errors.py
+++ b/webapp/graphite/errors.py
@@ -94,6 +94,15 @@ def __str__(self):
         return msg
 
 
+# Replace special characters "&", "<" and ">" to HTML-safe sequences.
+def escape(s):
+    s = s.replace("&", "&amp;")  # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+
+    return s
+
+
 # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest
 def handleInputParameterError(f):
     def new_f(*args, **kwargs):
@@ -102,6 +111,6 @@ def new_f(*args, **kwargs):
         except InputParameterError as e:
             msgStr = str(e)
             log.warning('%s', msgStr)
-            return HttpResponseBadRequest(msgStr)
+            return HttpResponseBadRequest(escape(msgStr))
 
     return new_f