Fix SSTI vulnerability in ad and consent pages (#517)

* Fix SSTI vulnerability in ad and consent pages Fixed an issue where users could pass arbitrary Python code to be executed on the server to the mode HTTP arg More information about this type of vulnerability: https://secure-cookie.io/attacks/ssti/
NYUCCL · Oct 1, 2021 · 47787e1 · 47787e1
1 parent 231d566
commit 47787e1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/psiturk/experiment.py b/psiturk/experiment.py
@@ -380,9 +380,10 @@ def advertisement():
         # even have accepted the HIT.
         with open('templates/ad.html', 'r') as temp_file:
             ad_string = temp_file.read()
-        ad_string = insert_mode(ad_string, mode)
+        ad_string = insert_mode(ad_string)
         return render_template_string(
             ad_string,
+            mode=mode,
             hitid=hit_id,
             assignmentid=assignment_id,
             workerid=worker_id
@@ -406,9 +407,10 @@ def give_consent():
     mode = request.args['mode']
     with open('templates/consent.html', 'r') as temp_file:
         consent_string = temp_file.read()
-    consent_string = insert_mode(consent_string, mode)
+    consent_string = insert_mode(consent_string)
     return render_template_string(
         consent_string,
+        mode=mode,
         hitid=hit_id,
         assignmentid=assignment_id,
         workerid=worker_id
@@ -731,7 +733,7 @@ def ppid():
 # to avoid breaking backwards compatibility with old templates.
 
 
-def insert_mode(page_html, mode):
+def insert_mode(page_html):
     """ Insert mode """
     page_html = page_html
     match_found = False
@@ -740,7 +742,7 @@ def insert_mode(page_html, mode):
     for match in matches:
         match_found = True
     if match_found:
-        new_html = page_html[:match.end()] + "&mode=" + mode +\
+        new_html = page_html[:match.end()] + '&mode={{ mode }}' +\
             page_html[match.end():]
         return new_html
     else:

diff --git a/tests/test_psiturk.py b/tests/test_psiturk.py
@@ -141,7 +141,7 @@ def test_insert_mode(psiturk_test_client):
         ad_string = temp_file.read()
 
     from psiturk.experiment import insert_mode
-    insert_mode(ad_string, 'debug')
+    insert_mode(ad_string)
 
 
 class PsiTurkStandardTests(PsiturkUnitTest):