From b74fcf25709de031db52acd0b0fa32563e29f266 Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Tue, 30 Nov 2021 17:17:16 +0000 Subject: [PATCH] Bump WTForms and Flask-WTF to latest versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit WTForms versions less than 3.0.0 have a security vulnerability where arbitrary HTML can be inserted into the label of a form, allowing the possibility of a cross-site scripting attack. I don’t know if there’s anywhere we put user-generated content into form labels but it’s possible we are vulnerable somewhere. This require moving some imports because as of https://github.com/wtforms/wtforms/pull/614/files there is no longer a separate module for HTML 5 fields, they are now considered core fields. As of https://github.com/wtforms/wtforms/issues/445/files custom implementations of `pre_validate` or `post_validate` must raise `ValidationError` to trigger a validation message, where we were raising `ValueError` this was no longer being caught. As of https://github.com/wtforms/wtforms/pull/355/files `StringField` returns `None` for empty data, not `''` but our `validate_email_address` function only accepts strings. --- app/main/forms.py | 6 ++++-- app/main/validators.py | 2 +- requirements.in | 3 ++- requirements.txt | 8 +++++--- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/app/main/forms.py b/app/main/forms.py index f9d73d4697..11f77be1b4 100644 --- a/app/main/forms.py +++ b/app/main/forms.py @@ -22,6 +22,7 @@ from wtforms import ( BooleanField, DateField, + EmailField, FieldList, FileField, HiddenField, @@ -30,13 +31,14 @@ ) from wtforms import RadioField as WTFormsRadioField from wtforms import ( + SearchField, SelectMultipleField, StringField, + TelField, TextAreaField, ValidationError, validators, ) -from wtforms.fields.html5 import EmailField, SearchField, TelField from wtforms.validators import URL, DataRequired, Length, Optional, Regexp from app.formatters import format_thousands, guess_name_from_email_address @@ -542,7 +544,7 @@ def pre_validate(self, form): try: return super().pre_validate(form) except ValueError: - raise ValueError(self.required_message) + raise ValidationError(self.required_message) class StripWhitespaceForm(Form): diff --git a/app/main/validators.py b/app/main/validators.py index d3b2673323..ec46113ac6 100644 --- a/app/main/validators.py +++ b/app/main/validators.py @@ -58,7 +58,7 @@ class ValidEmail: def __call__(self, form, field): - if field.data == '': + if not field.data: return try: diff --git a/requirements.in b/requirements.in index ab93367d4a..7fea7cd4a8 100644 --- a/requirements.in +++ b/requirements.in @@ -5,7 +5,8 @@ ago==0.0.93 govuk-bank-holidays==0.8 humanize==3.12.0 Flask==1.1.2 # pyup: <2 -Flask-WTF==0.15.1 +Flask-WTF==1.0.0 +wtforms==3.0.0 Flask-Login==0.5.0 werkzeug==2.0.2 jinja2==3.0.2 diff --git a/requirements.txt b/requirements.txt index 197df53b6f..44cb309fbf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ flask-login==0.5.0 # via -r requirements.in flask-redis==0.4.0 # via notifications-utils -flask-wtf==0.15.1 +flask-wtf==1.0.0 # via -r requirements.in gds-metrics==0.2.4 # via -r requirements.in @@ -225,8 +225,10 @@ werkzeug==2.0.2 # via # -r requirements.in # flask -wtforms==2.3.3 - # via flask-wtf +wtforms==3.0.0 + # via + # -r requirements.in + # flask-wtf xlrd==1.2.0 # via pyexcel-xls xlwt==1.3.0