kaizen icon indicating copy to clipboard operation
kaizen copied to clipboard
verified publisher icon Cloud-Code-AI

Potential code injection vulnerability in create_pr_description

Open sauravpanda opened this issue 1 year ago • 0 comments

Issue Details

Severity: Critical Category: Security File Path: https://github.com/Cloud-Code-AI/kaizen/blob/main//kaizen/helpers/output.py?plain=1#L37

Description

Potential code injection vulnerability in the create_pr_description function

Impact

The create_pr_description function concatenates user-provided input (the desc and original_desc parameters) directly into the output HTML, which could lead to a code injection vulnerability. An attacker could inject malicious Python code into the input, which would then be executed when the HTML is rendered.

Suggestion

Use a templating engine or a dedicated HTML sanitization library to properly escape the user input before including it in the output HTML. This will prevent the injection of malicious code.

Code Sample 
NA
Proposed Solution 
Replace the string concatenation with a templating engine that automatically escapes user input, or use a library like `html.escape()` to sanitize the input before including it in the output.

✨ Generated with love by Kaizen ❤️

sauravpanda avatar Aug 21 '24 23:08 sauravpanda