Security: fix XSS vulnerabilities in health and grok routes (#124)

2026-03-04 07:58:49 -05:00
parent 15c7ee5d1e
commit d1f2ae3ed4
3 changed files with 57 additions and 4 deletions
--- a/src/dashboard/routes/grok.py
+++ b/src/dashboard/routes/grok.py
@@ -198,9 +198,11 @@ async def grok_stats():

 def _render_toggle_card(active: bool) -> str:
    """Render the Grok Mode toggle card HTML."""
+    import html
    color = "#00ff88" if active else "#666"
    state = "ACTIVE" if active else "STANDBY"
    glow = "0 0 20px rgba(0, 255, 136, 0.4)" if active else "none"
+    model_name = html.escape(settings.grok_default_model)

    return f"""
    <div id="grok-toggle-card"
@@ -213,7 +215,7 @@ def _render_toggle_card(active: bool) -> str:
                    GROK MODE: {state}
                </div>
                <div style="font-size: 0.8rem; color: var(--text-muted); margin-top: 4px;">
-                    xAI frontier reasoning | {settings.grok_default_model}
+                    xAI frontier reasoning | {model_name}
                </div>
            </div>
            <button hx-post="/grok/toggle"
--- a/src/dashboard/routes/health.py
+++ b/src/dashboard/routes/health.py
@@ -237,9 +237,10 @@ async def health_status_panel(request: Request):
    
    status_text = "UP" if ollama_ok else "DOWN"
    status_color = "#10b981" if ollama_ok else "#ef4444"
-    model = settings.ollama_model  # Include model for test compatibility
+    import html
+    model = html.escape(settings.ollama_model)  # Include model for test compatibility
    
-    html = f"""
+    html_content = f"""
    <!DOCTYPE html>
    <html>
    <head><title>Health Status</title></head>
@@ -251,7 +252,7 @@ async def health_status_panel(request: Request):
    </body>
    </html>
    """
-    return HTMLResponse(content=html)
+    return HTMLResponse(content=html_content)


@router.get("/health/sovereignty", response_model=SovereigntyReport)
--- a/tests/security/test_xss_vulnerabilities.py
+++ b/tests/security/test_xss_vulnerabilities.py
@@ -0,0 +1,50 @@
+import pytest
+from fastapi.testclient import TestClient
+from dashboard.app import app
+from config import settings
+import html
+
+@pytest.fixture
+def client():
+    return TestClient(app)
+
+def test_health_status_xss_vulnerability(client):
+    """Verify that the health status page escapes the model name."""
+    original_model = settings.ollama_model
+    malicious_model = '"><script>alert("XSS")</script>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.ollama_model = malicious_model
+        
+        response = client.get("/health/status")
+        assert response.status_code == 200
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in response.text
+        assert malicious_model not in response.text
+    finally:
+        settings.ollama_model = original_model
+
+def test_grok_toggle_xss_vulnerability(client):
+    """Verify that the grok toggle card escapes the model name."""
+    original_model = settings.grok_default_model
+    malicious_model = '"><img src=x onerror=alert(1)>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.grok_default_model = malicious_model
+        
+        # We need to make grok available to trigger the render_toggle_card
+        # Since we're in test mode, we might need to mock this or just call the function
+        from dashboard.routes.grok import _render_toggle_card
+        
+        html_output = _render_toggle_card(active=True)
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in html_output
+        assert malicious_model not in html_output
+    finally:
+        settings.grok_default_model = original_model