11from django .http .response import HttpResponse , HttpResponseRedirect , HttpResponsePermanentRedirect , JsonResponse , HttpResponseNotFound
22from django .views .generic import RedirectView
33import django .shortcuts
4+ import json
45
56# Not an XSS sink, since the Content-Type is not "text/html"
67# FP reported in https://github.com/github/codeql-python-team/issues/38
@@ -13,6 +14,21 @@ def safe__manual_json_response(request):
1314 json_data = '{"json": "{}"}' .format (request .GET .get ("foo" ))
1415 return HttpResponse (json_data , content_type = "application/json" ) # $HttpResponse mimetype=application/json responseBody=json_data
1516
17+ # reproduction of FP seen here:
18+ # Usage: https://github.com/edx/edx-platform/blob/d70ebe6343a1573c694d6cf68f92c1ad40b73d7d/lms/djangoapps/commerce/api/v0/views.py#L106
19+ # DetailResponse def: https://github.com/edx/edx-platform/blob/d70ebe6343a1573c694d6cf68f92c1ad40b73d7d/lms/djangoapps/commerce/http.py#L9
20+ # JsonResponse def: https://github.com/edx/edx-platform/blob/d70ebe6343a1573c694d6cf68f92c1ad40b73d7d/common/djangoapps/util/json_request.py#L60
21+ class MyJsonResponse (HttpResponse ):
22+ def __init__ (self , data ):
23+ serialized = json .dumps (data ).encode ("utf-8" ) # $ encodeFormat=JSON encodeInput=data encodeOutput=json.dumps(..)
24+ super ().__init__ (serialized , content_type = "application/json" )
25+
26+ # Not an XSS sink, since the Content-Type is not "text/html"
27+ def safe__custom_json_response (request ):
28+ json_data = '{"json": "{}"}' .format (request .GET .get ("foo" ))
29+ return MyJsonResponse (json_data ) # $HttpResponse responseBody=json_data SPURIOUS: mimetype=text/html MISSING: mimetype=application/json
30+
31+
1632# Not an XSS sink, since the Content-Type is not "text/html"
1733def safe__manual_content_type (request ):
1834 return HttpResponse ('<img src="0" onerror="alert(1)">' , content_type = "text/plain" ) # $HttpResponse mimetype=text/plain responseBody='<img src="0" onerror="alert(1)">'
0 commit comments