Innova-AI/dictia-public
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix(auth): B-2.3 security review fixes — XSS escape + token replay

Browse Source 
Targeted fixes for issues raised by code review on commit 37639a7
(B-2.3 DictIA email rebrand). All fixes verified against the Windows
manual driver: 16/16 tests pass (12 pre-existing + 4 new regression).

Critical:
  - C1 Stored XSS in transactional emails: user.name (validated only on
    Length(max=49), no character class) was rendered raw into the f-string
    HTML body of verification + reset emails. Added html.escape on the
    HTML branch; text body keeps the raw string (no XSS surface). Also
    hardened the fallback chain to ((name or '').strip() or username or
    'utilisateur').strip() so a None/whitespace name never produces
    'Bonjour ,'.
  - C2 Reflected XSS in templates/auth/check_email.html: the email value
    from request.form was concatenated with literal '<strong>' tags then
    fed through | safe, defeating Jinja's autoescape. Split the string so
    template-author HTML stays literal and {{ email }} is autoescaped.
    Used &#160; for NBSP instead of '1&nbsp;heure' | safe (more readable).

Important:
  - I1 Dropped {{ message | safe }} on flash blocks in
    forgot_password.html and reset_password.html (matches check_email.html).
    No XSS today (flashes are static literals) but removes the landmine.
  - I2 Password reset token replay: URLSafeTimedSerializer is stateless,
    so the same valid link could be clicked twice within the 1h window.
    Added a check that user.password_reset_token == token after the user
    lookup — runs before BOTH GET (form render) and POST (password update).
    The existing 'user.password_reset_token = None' on success now
    actually invalidates the token.
  - I5 MIMEText defaults to us-ascii, which Q-encodes accented French
    characters and produces mojibake in some clients. Added explicit
    'utf-8' charset on both text and html parts in _send_email.

New regression tests (tests/test_email_service_dictia.py):
  - test_verification_email_falls_back_when_name_is_whitespace (I4)
  - test_verification_email_handles_unicode_name (I5)
  - test_verification_email_escapes_html_in_user_name (C1)
  - test_check_email_template_escapes_email_in_response (C2)

Out of scope (per review): M1 (already addressed via solid-color
fallback), M2 (datetime.utcnow — pre-existing, separate cleanup),
M3 (Windows test driver — documented in tests file docstring),
M4-M6 (deferred).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Allison
2026-04-27 23:14:11 -04:00
parent 37639a7d09
commit dd270bca9e
6 changed files with 143 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/api/auth.py
View File

@@ -677,6 +677,15 @@ def reset_password(token):
flash('Utilisateur introuvable.', 'danger')
return redirect(url_for('auth.forgot_password'))
# Single-use token enforcement: URLSafeTimedSerializer is stateless, so
# without this check a valid token could be replayed within the 1h window.
# We invalidate the token on use by clearing user.password_reset_token, so
# a mismatch here means the token has already been consumed (or never set).
# Applies to BOTH GET (don't render the form) and POST (don't accept reset).
if not user.password_reset_token or user.password_reset_token != token:
flash('Le lien de réinitialisation est invalide ou expiré.', 'danger')
return redirect(url_for('auth.forgot_password'))
if request.method == 'POST':
password = request.form.get('password')
confirm_password = request.form.get('confirm_password')

35
src/services/email.py
View File

@@ -11,6 +11,7 @@ import logging
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from datetime import datetime, timedelta
from html import escape as html_escape
from typing import Optional
from itsdangerous import URLSafeTimedSerializer, SignatureExpired, BadSignature
@@ -133,13 +134,13 @@ def _send_email(to_email: str, subject: str, html_body: str, text_body: str = No
msg['From'] = f"{config['from_name']} <{config['from_address']}>"
msg['To'] = to_email
# Add plain text version
# Add plain text version (explicit UTF-8 to prevent Q-encoding mojibake)
if text_body:
part1 = MIMEText(text_body, 'plain')
part1 = MIMEText(text_body, 'plain', 'utf-8')
msg.attach(part1)
# Add HTML version
part2 = MIMEText(html_body, 'html')
# Add HTML version (explicit UTF-8 to prevent Q-encoding mojibake)
part2 = MIMEText(html_body, 'html', 'utf-8')
msg.attach(part2)
# Connect to SMTP server
@@ -309,15 +310,20 @@ def send_verification_email(user) -> bool:
# Build verification URL
verify_url = url_for('auth.verify_email', token=token, _external=True)
# Display name preferred over username; fallback when name is None/empty.
display_name = (getattr(user, 'name', None) or user.username).strip()
# Display name preferred over username; fallback chain handles None/empty
# name AND the schema-improbable case where username is also missing.
# HTML body MUST escape user-controlled name to prevent stored XSS;
# text body uses raw string (plaintext has no XSS surface).
raw_display_name = ((getattr(user, 'name', None) or '').strip() or user.username or 'utilisateur').strip()
display_name_html = html_escape(raw_display_name)
display_name_text = raw_display_name
subject = "Vérifiez votre courriel — DictIA"
content_html = f"""
<h2 style="color: #060d1a; margin: 0 0 24px 0; font-size: 24px; font-weight: 700;">Vérifiez votre adresse courriel</h2>
<p style="color: #374151; margin: 0 0 16px 0; font-size: 16px;">Bonjour {display_name},</p>
<p style="color: #374151; margin: 0 0 16px 0; font-size: 16px;">Bonjour {display_name_html},</p>
<p style="color: #374151; margin: 0 0 24px 0; font-size: 16px;">
Bienvenue chez DictIA. Pour terminer votre inscription et commencer à transcrire, vérifiez votre adresse courriel.
@@ -338,7 +344,7 @@ def send_verification_email(user) -> bool:
</div>
"""
content_text = f"""Bonjour {display_name},
content_text = f"""Bonjour {display_name_text},
Bienvenue chez DictIA. Pour terminer votre inscription et commencer à transcrire, vérifiez votre adresse courriel.
@@ -376,15 +382,20 @@ def send_password_reset_email(user) -> bool:
# Build reset URL
reset_url = url_for('auth.reset_password', token=token, _external=True)
# Display name preferred over username; fallback when name is None/empty.
display_name = (getattr(user, 'name', None) or user.username).strip()
# Display name preferred over username; fallback chain handles None/empty
# name AND the schema-improbable case where username is also missing.
# HTML body MUST escape user-controlled name to prevent stored XSS;
# text body uses raw string (plaintext has no XSS surface).
raw_display_name = ((getattr(user, 'name', None) or '').strip() or user.username or 'utilisateur').strip()
display_name_html = html_escape(raw_display_name)
display_name_text = raw_display_name
subject = "Réinitialiser votre mot de passe — DictIA"
content_html = f"""
<h2 style="color: #060d1a; margin: 0 0 24px 0; font-size: 24px; font-weight: 700;">Réinitialiser votre mot de passe</h2>
<p style="color: #374151; margin: 0 0 16px 0; font-size: 16px;">Bonjour {display_name},</p>
<p style="color: #374151; margin: 0 0 16px 0; font-size: 16px;">Bonjour {display_name_html},</p>
<p style="color: #374151; margin: 0 0 24px 0; font-size: 16px;">
Nous avons reçu une demande de réinitialisation pour votre compte DictIA. Cliquez sur le bouton ci-dessous pour créer un nouveau mot de passe.
@@ -405,7 +416,7 @@ def send_password_reset_email(user) -> bool:
</div>
"""
content_text = f"""Bonjour {display_name},
content_text = f"""Bonjour {display_name_text},
Nous avons reçu une demande de réinitialisation pour votre compte DictIA. Cliquez sur le lien ci-dessous pour créer un nouveau mot de passe :

6
templates/auth/check_email.html
View File

@@ -16,11 +16,11 @@
<p class="text-sm text-brand-navy/70 mb-6">
{% if action == 'password_reset' %}
{{ "Si un compte DictIA existe pour <strong>" ~ email ~ "</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1&nbsp;heure." | safe }}
Si un compte DictIA existe pour <strong>{{ email }}</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1&#160;heure.
{% elif action == 'verification_required' %}
{{ "Vérifiez votre boîte de réception à <strong>" ~ email ~ "</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous." | safe }}
Vérifiez votre boîte de réception à <strong>{{ email }}</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous.
{% else %}
{{ "Nous avons envoyé un lien de vérification à <strong>" ~ email ~ "</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24&nbsp;heures." | safe }}
Nous avons envoyé un lien de vérification à <strong>{{ email }}</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24&#160;heures.
{% endif %}
</p>

2
templates/auth/forgot_password.html
View File

@@ -17,7 +17,7 @@
{% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
{% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
{% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
{{ message | safe }}
{{ message }}
</div>
{% endfor %}
{% endif %}

2
templates/auth/reset_password.html
View File

@@ -17,7 +17,7 @@
{% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
{% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
{% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
{{ message | safe }}
{{ message }}
</div>
{% endfor %}
{% endif %}

106
tests/test_email_service_dictia.py
View File

@@ -266,6 +266,112 @@ def test_check_email_template_extends_marketing_base():
_clear_smtp_env()
def test_verification_email_falls_back_when_name_is_whitespace():
"""Empty/whitespace name must NOT produce 'Bonjour ,' — falls back to username."""
with app.test_request_context('/'):
_set_smtp_env()
db.create_all()
try:
user = User(username='claire42', email='claire@example.qc.ca',
password='x' * 60, name=' ', email_verified=False)
db.session.add(user)
db.session.commit()
with patch('src.services.email._send_email', return_value=True) as mock_send:
from src.services.email import send_verification_email
send_verification_email(user)
args, _ = mock_send.call_args
_, _, html_body, text_body = args
assert 'Bonjour ,' not in html_body
assert 'Bonjour claire42' in html_body
assert 'Bonjour claire42' in text_body
finally:
db.session.rollback()
db.drop_all()
_clear_smtp_env()
def test_verification_email_handles_unicode_name():
"""Accented French names must round-trip through email without mojibake."""
with app.test_request_context('/'):
_set_smtp_env()
db.create_all()
try:
user = User(username='francois', email='francois@example.qc.ca',
password='x' * 60, name='François Mélanie',
email_verified=False)
db.session.add(user)
db.session.commit()
with patch('src.services.email._send_email', return_value=True) as mock_send:
from src.services.email import send_verification_email
send_verification_email(user)
args, _ = mock_send.call_args
_, _, html_body, text_body = args
assert 'Bonjour François Mélanie' in html_body
assert 'Bonjour François Mélanie' in text_body
finally:
db.session.rollback()
db.drop_all()
_clear_smtp_env()
def test_verification_email_escapes_html_in_user_name():
"""user.name with HTML payload must be escaped in HTML body, raw in text body.
Regression test for C1 (stored XSS). A signup with name='<img onerror=...>'
persists the payload — without escape it executes when the verification
email renders.
"""
with app.test_request_context('/'):
_set_smtp_env()
db.create_all()
try:
payload = '<img src=x onerror=alert(1)>'
user = User(username='attacker', email='attacker@x.ca',
password='x' * 60, name=payload, email_verified=False)
db.session.add(user)
db.session.commit()
with patch('src.services.email._send_email', return_value=True) as mock_send:
from src.services.email import send_verification_email
send_verification_email(user)
args, _ = mock_send.call_args
_, _, html_body, text_body = args
# HTML body MUST escape the payload
assert payload not in html_body, \
'Raw HTML payload leaked into HTML email body!'
assert '&lt;img src=x onerror=alert(1)&gt;' in html_body
# Text body keeps the raw string (it's plaintext, no XSS surface)
assert payload in text_body
finally:
db.session.rollback()
db.drop_all()
_clear_smtp_env()
def test_check_email_template_escapes_email_in_response():
"""email value rendered into check_email.html must be HTML-escaped.
Regression test for C2 (reflected XSS). Posting a script payload to
/forgot-password reflected it unescaped via concat-then-safe pattern.
"""
with app.app_context():
app.config['WTF_CSRF_ENABLED'] = False
_set_smtp_env()
db.create_all()
try:
client = app.test_client()
payload = '<script>alert(1)</script>'
resp = client.post('/forgot-password', data={'email': payload})
assert resp.status_code == 200
body = resp.data.decode('utf-8')
assert payload not in body, \
'Raw <script> payload leaked into rendered HTML!'
assert '&lt;script&gt;alert(1)&lt;/script&gt;' in body
finally:
db.session.rollback()
db.drop_all()
_clear_smtp_env()
def test_resend_verification_rate_limited_per_user():
"""can_resend_verification returns (False, remaining) within the 60s cooldown."""
with app.app_context():