Escape untrusted strings in notifications (2.4.1)#19
Merged
Conversation
Geo data from ipinfo.io and GitHub release notes were interpolated unescaped into HTML email, Telegram (parse_mode=HTML) and Discord markdown. Add a shared escape helper and apply it: html-escape for email, HTML-special escape for Telegram, markdown escape for Discord, on geo fields, server name, IP values, changelog content and release URL. Plain-text and Apprise paths are unchanged. This blocks markup/link injection into the channels and fixes a case where a stray < or & in a field made Telegram reject the message (400) and silently drop a real IP-change alert.
Cover the escape helpers and assert each notifier escapes hostile geo, server name, changelog and event strings while keeping the template tags intact; the plain-text email part stays unescaped.
Bump to 2.4.1 and document the escaping fix in the changelog and upgrade notes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security patch implementing the top finding from the comprehensive review.
Problem
Geo data from ipinfo.io (
org/city/region/timezone) and GitHub release-note content were interpolated unescaped into HTML email, Telegram (parse_mode=HTML) and Discord markdown. This allowed markup/link injection into the notification channels, and a stray</&in the ISPorgfield made Telegram reject the message (400) and silently drop a real IP-change alert.Fix
wanwatcher/notifiers/_escape.py:html_escape(email),telegram_escape(HTML specials),discord_escape(markdown).No breaking changes. Full suite 330 passing, lint and mypy clean.