Fix XSS vulnerability, request parsing bug, and session persistence

- Fix XSS in stegasoo.js: use textContent instead of innerHTML for filenames - Fix operator precedence in channel key parsing (form data was ignored) - Persist Flask secret key to instance/.secret_key so sessions survive restarts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 00:08:06 -05:00
parent 5188492c77
commit 83e9bd6fa1
2 changed files with 18 additions and 3 deletions
--- a/frontends/web/app.py
+++ b/frontends/web/app.py
@@ -144,7 +144,18 @@ subprocess_stego = SubprocessStego(timeout=180)  # 3 minute timeout for large im
 # ============================================================================

 app = Flask(__name__)
-app.secret_key = secrets.token_hex(32)
+
+# Persist secret key so sessions survive restarts
+_instance_path = Path(app.instance_path)
+_instance_path.mkdir(parents=True, exist_ok=True)
+_secret_key_file = _instance_path / ".secret_key"
+if _secret_key_file.exists():
+    app.secret_key = _secret_key_file.read_text().strip()
+else:
+    app.secret_key = secrets.token_hex(32)
+    _secret_key_file.write_text(app.secret_key)
+    _secret_key_file.chmod(0o600)
+
 app.config["MAX_CONTENT_LENGTH"] = MAX_FILE_SIZE

 # Auth configuration from environment
@@ -372,7 +383,7 @@ def api_channel_validate():

    Returns JSON with validation result.
    """
-    key = request.form.get("key", "") or request.json.get("key", "") if request.is_json else ""
+    key = request.form.get("key", "") or (request.json.get("key", "") if request.is_json else "")

    if not key:
        return jsonify({"valid": False, "error": "No key provided"})
--- a/frontends/web/static/js/stegasoo.js
+++ b/frontends/web/static/js/stegasoo.js
@@ -119,7 +119,11 @@ const Stegasoo = {
                if (isScanContainer || isPixelContainer) {
                    labelEl.classList.add('d-none');
                } else {
-                    labelEl.innerHTML = '<i class="bi bi-check-circle text-success me-1"></i>' + file.name;
+                    labelEl.textContent = '';
+                    const icon = document.createElement('i');
+                    icon.className = 'bi bi-check-circle text-success me-1';
+                    labelEl.appendChild(icon);
+                    labelEl.appendChild(document.createTextNode(file.name));
                }
            }