Fix conclict

backend/core/models.py

@@ -135,6 +135,10 @@ def store_library_content(
             return None  # We do not store the library if its hash checksum is in the database.
         try:
             library_data = yaml.safe_load(library_content)
+            if not isinstance(library_data, dict):
+                raise yaml.YAMLError(
+                    f"The YAML content must be a dictionary but it's been interpreted as a {type(library_data).__name__} !"
+                )
         except yaml.YAMLError as e:
             logger.error("Error while loading library content", error=e)
             raise e

backend/core/serializers.py

@@ -1,6 +1,7 @@
 from typing import Any
 from ciso_assistant.settings import EMAIL_HOST, EMAIL_HOST_RESCUE
 
+
 from core.models import *
 from iam.models import *
 
@@ -10,7 +11,7 @@
 from django.db import models
 from core.serializer_fields import FieldsRelatedField
 
-import structlog
+import structlog, bleach
 
 logger = structlog.get_logger(__name__)
 
@@ -52,6 +53,14 @@ def create(self, validated_data: Any):
             logger.error(e)
             raise serializers.ValidationError(e.args[0])
 
+    def validate_name(self, value):
+        clean_value = bleach.clean(value, tags=[], attributes={})
+        if clean_value != value:
+            raise serializers.ValidationError(
+                "The name must not contain characters from HTML tags or attributes."
+            )
+        return value
+
     class Meta:
         model: models.Model
 

backend/library/management/commands/storelibraries.py

@@ -25,12 +25,13 @@ def handle(self, *args, **options):
             library_files = [path]
         for fname in library_files:
             # logger.info("Begin library file storage", filename=fname)
-            library = StoredLibrary.store_library_file(fname, True)
-            if library:
-                logger.info(
-                    "Successfully stored library",
-                    filename=fname,
-                    library=library,
-                )
-            # else:
-            #     logger.info("Library is up to date", filename=fname)
+            try:
+                library = StoredLibrary.store_library_file(fname, True)
+                if library:
+                    logger.info(
+                        "Successfully stored library",
+                        filename=fname,
+                        library=library,
+                    )
+            except:
+                logger.error("Invalid library file", filename=fname)

backend/library/views.py

@@ -181,7 +181,7 @@ def upload_library(self, request):
                 json.dumps({"error": "libraryAlreadyLoadedError"}),
                 status=HTTP_400_BAD_REQUEST,
             )
-        except yaml.YAMLError:
+        except:
             return HttpResponse(
                 json.dumps({"error": "invalidLibraryFileError"}),
                 status=HTTP_400_BAD_REQUEST,

backend/requirements.txt

@@ -19,3 +19,4 @@ python-dotenv==1.0.1
 drf-spectacular==0.27.2
 django-rest-knox==4.2.0
 pre-commit==3.7.0
+bleach==6.1.0

frontend/messages/de.json

@@ -481,7 +481,7 @@
 	"passwordSuccessfullySetWelcome": "Ihr Passwort wurde erfolgreich festgelegt. Willkommen bei CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Warten Sie {timing} Sekunden, bevor Sie einen neuen Zurücksetzungslink anfordern",
 	"resetLinkSent": "Die Anfrage wurde erhalten, Sie sollten einen Zurücksetzungslink an die folgende Adresse erhalten: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "Der Status der Risikoakzeptanz: {riskAcceptance} erlaubt keine Bearbeitung",
+	"riskAcceptanceStateDoesntAllowEdit": "Der Status der Risikoakzeptanz erlaubt keine Bearbeitung",
 	"associatedRequirements": "Zugehörige Anforderungen",
 	"isPublished": "Ist veröffentlicht",
 	"suggestedReferenceControls": "Vorgeschlagene Referenzkontrollen",

frontend/messages/en.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Your password has been successfully set. Welcome to CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Please wait {timing}sec before requesting a new reset link",
 	"resetLinkSent": "The request has been received, you should receive a reset link at the following address: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "The state of risk acceptance: {riskAcceptance} doesn't allow it to be edited",
+	"riskAcceptanceStateDoesntAllowEdit": "The state of risk acceptance doesn't allow it to be edited",
 	"associatedRequirements": "Associated requirements",
 	"isPublished": "Is published",
 	"suggestedReferenceControls": "Suggested reference controls",

frontend/messages/es.json

@@ -481,7 +481,7 @@
 	"passwordSuccessfullySetWelcome": "Su contraseña se ha establecido con éxito. ¡Bienvenido a CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Espere {timing} segundos antes de solicitar un nuevo enlace de restablecimiento",
 	"resetLinkSent": "Se ha recibido la solicitud, debe recibir un enlace de restablecimiento en la siguiente dirección: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "El estado de aceptación de riesgos: {riskAcceptance} no permite editarlo",
+	"riskAcceptanceStateDoesntAllowEdit": "El estado de aceptación de riesgos no permite editarlo",
 	"associatedRequirements": "Requisitos asociados",
 	"isPublished": "Está publicado",
 	"suggestedReferenceControls": "Controles de referencia sugeridos",

frontend/messages/fr.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Votre mot de passe a été défini avec succès. Bienvenue sur CISO Assistant !",
 	"waitBeforeRequestingResetLink": "Veuillez patienter {timing}sec avant de demander un nouveau lien de réinitialisation.",
 	"resetLinkSent": "La demande a été reçue, vous devriez recevoir un lien de réinitialisation à l'adresse suivante : {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "L'état d'acceptation du risque : {riskAcceptance} ne permet pas de le modifier",
+	"riskAcceptanceStateDoesntAllowEdit": "L'état d'acceptation du risque ne permet pas de le modifier",
 	"associatedRequirements": "Exigences associées",
 	"isPublished": "Publié",
 	"suggestedReferenceControls": "Mesures de référence suggérées",

frontend/messages/it.json

@@ -481,7 +481,7 @@
 	"passwordSuccessfullySetWelcome": "La tua password è stata impostata con successo. Benvenuto in CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Attendi {timing} secondi prima di richiedere un nuovo link di reimpostazione",
 	"resetLinkSent": "La richiesta è stata ricevuta, dovresti ricevere un link di reimpostazione al seguente indirizzo: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "Lo stato di accettazione del rischio: {riskAcceptance} non consente la modifica",
+	"riskAcceptanceStateDoesntAllowEdit": "Lo stato di accettazione del rischio non consente la modifica",
 	"associatedRequirements": "Requisiti associati",
 	"isPublished": "È pubblicato",
 	"suggestedReferenceControls": "Controlli di riferimento suggeriti",

frontend/messages/nl.json

@@ -481,7 +481,7 @@
 	"passwordSuccessfullySetWelcome": "Je wachtwoord is succesvol ingesteld. Welkom bij CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Wacht {timing}sec voordat je een nieuwe resetlink aanvraagt",
 	"resetLinkSent": "Het verzoek is ontvangen, je zou een resetlink moeten ontvangen op het volgende adres: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "De staat van risicoacceptatie: {riskAcceptance} staat het niet toe om bewerkt te worden",
+	"riskAcceptanceStateDoesntAllowEdit": "De staat van risicoacceptatie staat het niet toe om bewerkt te worden",
 	"associatedRequirements": "Geassocieerde eisen",
 	"isPublished": "Is gepubliceerd",
 	"suggestedReferenceControls": "Voorgestelde referentiecontroles",

frontend/messages/pt.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Sua senha foi definida com sucesso. Bem-vindo ao CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Aguarde {timing} segundos antes de solicitar um novo link de redefinição",
 	"resetLinkSent": "A solicitação foi recebida, você deve receber um link de redefinição no seguinte endereço: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "O estado da aceitação de risco: {riskAcceptance} não permite que ele seja editado",
+	"riskAcceptanceStateDoesntAllowEdit": "O estado da aceitação de risco não permite que ele seja editado",
 	"associatedRequirements": "Requisitos associados",
 	"isPublished": "Está publicado",
 	"suggestedReferenceControls": "Controles de referência sugeridos",

frontend/src/lib/utils/helpers.ts

@@ -7,6 +7,19 @@ export function formatStringToDate(inputString: string, locale: string = 'en') {
 	});
 }
 
+export const escapeHTML = (str: string) =>
+	str.replace(
+		/[&<>'"]/g,
+		(tag) =>
+			({
+				'&': '&amp;',
+				'<': '&lt;',
+				'>': '&gt;',
+				"'": '&#39;',
+				'"': '&quot;'
+			}[tag] || tag)
+	);
+
 export const isURL = (url: string) => {
 	try {
 		new URL(url);

frontend/src/routes/(app)/[model=urlmodel]/[id=uuid]/edit/+layout.server.ts

@@ -30,7 +30,7 @@ export const load: LayoutServerLoad = async (event) => {
 			setFlash(
 				{
 					type: 'error',
-					message: m.riskAcceptanceStateDoesntAllowEdit({ riskAcceptance: riskAcceptance.name })
+					message: m.riskAcceptanceStateDoesntAllowEdit()
 				},
 				event
 			);

frontend/src/routes/(app)/libraries/+page.server.ts

@@ -103,6 +103,7 @@ export const actions: Actions = {
 					translate_error ?? m.libraryLoadingError() + '(' + response.error + ')';
 
 				setFlash({ type: 'error', message: toast_error_message }, event);
+				delete form.data['file']; // This removes a warning: Cannot stringify arbitrary non-POJOs (data..form.data.file)
 				return fail(400, { form });
 			}
 			setFlash({ type: 'success', message: m.librarySuccessfullyLoaded() }, event);

frontend/src/routes/(app)/libraries/[id=urn]/+page.server.ts

@@ -32,7 +32,7 @@ export const actions: Actions = {
 			setFlash(
 				{
 					type: 'error',
-					message: localItems(languageTag())[resText]
+					message: localItems()[resText]
 				},
 				event
 			);