feast icon indicating copy to clipboard operation
feast copied to clipboard
verified publisher icon feast-dev

Security fix for possible Cross-site-scripting (XSS) attack

Open shuchu opened this issue 1 year ago • 3 comments

Reference : https://sonarcloud.io/project/security_hotspots?id=shuchu_feast&hotspots=AY9leJjfaz5TZ8maDgoc https://sonarcloud.io/project/security_hotspots?id=shuchu_feast&hotspots=AY9leJk3az5TZ8maDgo8

Specifications

  • Version:
  • Platform:
  • Subsystem:

Possible Solution

Set the autoescape=True in Jinjia2 Environment()

shuchu avatar Jul 15 '24 00:07 shuchu

@franciscojavierarceo The change that closed this issue (#4355) was reverted later in #4357. Shouldn't this issue be reopened? I can't find discussion about whether or not it worked or why it was reversed.

jskrzypek avatar Aug 01 '24 14:08 jskrzypek

@jskrzypek yeah, you're right. I'll reopen the issue. The PR broke integration tests, that's why it was reverted. I'm not sure exactly why though, something about escaping special characters. We figured out that this PR was to blame for the failures a little too late, so most of the discussion was in Slack.

tokoko avatar Aug 01 '24 18:08 tokoko

Thanks! Yeah, I was reading the changelog for 0.40.0 and saw both the fix: Avoid XSS attack... and then down below the Revert "fix: Avoid XSS attack..." so I got curious 😁

jskrzypek avatar Aug 02 '24 14:08 jskrzypek

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 26 '25 04:04 stale[bot]