Skip to content

BYNT-1365: Webauthn device name validation using form extension#119

Merged
tarekio merged 3 commits intomainfrom
sanitize-webauthn-name
Jul 2, 2025
Merged

BYNT-1365: Webauthn device name validation using form extension#119
tarekio merged 3 commits intomainfrom
sanitize-webauthn-name

Conversation

@cango91
Copy link
Contributor

@cango91 cango91 commented Jun 21, 2025
edited by atlassian bot
Loading

Jira Issue

  1. BYNT-1365

Description

Sanitize WebAuthn device name to prevent xss

Checklist

  • Tests added/updated
  • Documentation updated (if needed)
  • New strings prepared for translations

API Changes (if applicable)

  • Permissions checked
  • Endpoint tests added

Additional Notes

[Any other relevant information]

@cango91 cango91 requested a review from Copilot June 21, 2025 01:31
Copilot AI reviewed Jun 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a custom WebAuthn registration form that sanitizes device names to prevent XSS and wires it into the application’s security settings.

  • Introduces SanitizedWebAuthnRegisterForm with validation and sanitization logic for the name field.
  • Imports sanitize_string and integrates ValidationError for consistent error handling.
  • Configures the new form under Flask-Security options in app.py.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
enferno/user/forms.py Added SanitizedWebAuthnRegisterForm to sanitize and validate device names.
enferno/app.py Registered SanitizedWebAuthnRegisterForm in the security options.
Comments suppressed due to low confidence (1)

enferno/user/forms.py:21

  • No tests cover this new validation logic. Please add unit tests verifying empty, HTML-only, overlength, and valid name cases for validate_name.
    def validate_name(self, field):

@cango91 cango91 self-assigned this Jun 21, 2025
@cango91 cango91 requested a review from tarekio June 21, 2025 01:39
@cango91 cango91 marked this pull request as ready for review June 21, 2025 01:39
level09
level09 requested changes Jun 25, 2025
View reviewed changes
Copy link
Collaborator

@level09 level09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do 2 modifications :

  1. I don't like the current Silent modification UX, Users get no feedback when HTML is stripped, creating confusion. Let's raise a validation error if the input is not valid or contains HTML (explicit rejection)

  2. for this use case as mentioned in the comment, we can't use the sanitize string, Let's instead build a custom method or util to validate and reject :

  • html tags
  • html entities
  • complex nested html
  • long strings

here is an example

if not field.data or not field.data.strip():
        raise ValidationError("Device name cannot be empty.")
    
    import re
    from html import unescape
    
    # Reject HTML tags
    if re.search(r'<[^>]*>', field.data):
        raise ValidationError(
            "Device name cannot contain HTML tags. Please enter plain text only."
        )
    
    # Reject HTML entities
    if unescape(field.data) != field.data:
        raise ValidationError(
            "Device name cannot contain HTML entities. Please enter plain text only."
        )
    
    # Normalize whitespace and validate length
    clean_name = ' '.join(field.data.split())
    if len(clean_name) > 64:
        raise ValidationError("Device name is too long (maximum 64 characters).")

example cases to be rejected :

[
    "My <script>alert('xss')</script> Phone",
    "Device &lt;script&gt;",
    "Phone<!--comment-->",
    "My <div>Phone</div>",
    "&amp;Device&amp;",
    "Phone<svg onload=alert()>"
]
  • also very long strings

we can re-use this util method everywhere we need (feel free to parameterize it with string length etc .. )

@cango91
Replace silent HTML sanitization with explicit validation rejection f…
464c5b7 
…or WebAuthn device names. Addresses XSS concerns by rejecting HTML tags/entities instead of cleaning them, providing clear user feedback.
@cango91 cango91 requested a review from level09 June 25, 2025 20:08
level09
level09 approved these changes Jun 28, 2025
View reviewed changes
Copy link
Collaborator

@level09 level09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent. All boxes checked ✅

@tarekio tarekio merged commit c8ca0ed into main Jul 2, 2025
6 of 7 checks passed
@tarekio tarekio deleted the sanitize-webauthn-name branch July 2, 2025 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@level09 level09 level09 approved these changes

+1 more reviewer

@tarekio tarekio tarekio approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@cango91 cango91

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cango91 @level09 @tarekio