Cross-Site Scripting Security Vulnerability about skyline HOT 1 CLOSED

Hi @tch1bo

Thanks for the reports. I know there are some holes, thanks for pointing them
out and suggesting flask.escape(resp). That suggestion was much
appreciated!

And just to be clear on the points for anyone happening to stumble onto this.
The XSS and the SQL injections vulnerabilities (#86) are known and stated in the
documentation - https://earthgecko-skyline.readthedocs.io/en/latest/webapp.html?highlight=injection#production-infrastructure

These vulnerabilities are somewhat offset by the implementation of a number of
migitations such as:

• The implementation of basic http auth and a SSL terminated frontend
• Forcing @requires_auth on all the webapp.py endpoints
• Testing the validilty each parameter in the requests

These are not excuses, they are mitigations for known lacks of knowledge in
certain aspects.

In your example, webapp.py will respond with Bad request 400 as fp_id as a
Python type is not instanceof int.

Due to this lack of knowledge on a number of fronts in terms of sorting out XSS
and SQL injection, all request parameter values are tested and further to this
the user of Skyline is somewhat now forced into setting it up with multiple
layers of defence in terms of it's actually deployment. But you cannot always
rely on users to read the documentation and do it properly, so the default
setup makes it hard to configure it open, by default it is configured hard.

Although it would be much better to fix it as well, I do agree :)

I shall draft a release to address the XSS and mull over the SQL #86 as well.

Thanks for the report. I guess we are a ways off deepcode.ai being able to
analyse code, configs and docs in a multivariate manner good enough to interpret
stuff that has an average cyclonic complexity score of about F AND make
sense of it all :) But I do like it :)

from skyline.