Fix XSS vulnerability, request parsing bug, and session persistence
- Fix XSS in stegasoo.js: use textContent instead of innerHTML for filenames - Fix operator precedence in channel key parsing (form data was ignored) - Persist Flask secret key to instance/.secret_key so sessions survive restarts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
@@ -144,7 +144,18 @@ subprocess_stego = SubprocessStego(timeout=180) # 3 minute timeout for large im
|
|||||||
# ============================================================================
|
# ============================================================================
|
||||||
|
|
||||||
app = Flask(__name__)
|
app = Flask(__name__)
|
||||||
app.secret_key = secrets.token_hex(32)
|
|
||||||
|
# Persist secret key so sessions survive restarts
|
||||||
|
_instance_path = Path(app.instance_path)
|
||||||
|
_instance_path.mkdir(parents=True, exist_ok=True)
|
||||||
|
_secret_key_file = _instance_path / ".secret_key"
|
||||||
|
if _secret_key_file.exists():
|
||||||
|
app.secret_key = _secret_key_file.read_text().strip()
|
||||||
|
else:
|
||||||
|
app.secret_key = secrets.token_hex(32)
|
||||||
|
_secret_key_file.write_text(app.secret_key)
|
||||||
|
_secret_key_file.chmod(0o600)
|
||||||
|
|
||||||
app.config["MAX_CONTENT_LENGTH"] = MAX_FILE_SIZE
|
app.config["MAX_CONTENT_LENGTH"] = MAX_FILE_SIZE
|
||||||
|
|
||||||
# Auth configuration from environment
|
# Auth configuration from environment
|
||||||
@@ -372,7 +383,7 @@ def api_channel_validate():
|
|||||||
|
|
||||||
Returns JSON with validation result.
|
Returns JSON with validation result.
|
||||||
"""
|
"""
|
||||||
key = request.form.get("key", "") or request.json.get("key", "") if request.is_json else ""
|
key = request.form.get("key", "") or (request.json.get("key", "") if request.is_json else "")
|
||||||
|
|
||||||
if not key:
|
if not key:
|
||||||
return jsonify({"valid": False, "error": "No key provided"})
|
return jsonify({"valid": False, "error": "No key provided"})
|
||||||
|
|||||||
@@ -119,7 +119,11 @@ const Stegasoo = {
|
|||||||
if (isScanContainer || isPixelContainer) {
|
if (isScanContainer || isPixelContainer) {
|
||||||
labelEl.classList.add('d-none');
|
labelEl.classList.add('d-none');
|
||||||
} else {
|
} else {
|
||||||
labelEl.innerHTML = '<i class="bi bi-check-circle text-success me-1"></i>' + file.name;
|
labelEl.textContent = '';
|
||||||
|
const icon = document.createElement('i');
|
||||||
|
icon.className = 'bi bi-check-circle text-success me-1';
|
||||||
|
labelEl.appendChild(icon);
|
||||||
|
labelEl.appendChild(document.createTextNode(file.name));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user