Skip to content

Usunięcie podatności na XSS w aplikacji biblioteki. #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
twezowic wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Usunięcie podatności na XSS w aplikacji biblioteki. #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e906ba1
dodanie zadania 1
twezowic Nov 9, 2025
7ae064b
Fix xss vulnerability and prepare tests
twezowic Nov 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions DDD.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# Domain Driven Design

W ramach zadania należało przedstawić zgodnie z zasadą Domain Driven Design fragment bezpiecznej aplikacji bankowej.

## Bounded Context:

| Nazwa | Opis |
| ------------------ | ---------------------------------------------------------------------------------------------- |
| Zarządzanie Kontem | Odpowiada za tworzenie i edytowanie danych kont bankowych klientów |
| Przelewy | Odpowiada za zlecenia przelewów, weryfikuje saldo |
| Karty | Odpowiada za zarządzanie kartami klientów, wydawanie kart, ustawianie limitów, blokowania kart |
| Kredyty | Odpowiada za zlecanie kredytów, wyświetla obecne raty |
| Uwierzytelnienie | Odpowiada za proces logowania i autoryzacji klientów |

## Agregaty:

| Nazwa | Powiązane obiekty wartości / encje | Opis |
| ------------ | ------------------------------------------ | --------------------------------------------- |
| KontoBankowe | Klient, Saldo | Reprezentuje indywidualne konto klienta banku |
| Przelew | KwotaPrzelewu, KontoOdbiorcy, KontoNadawcy | Reprezentuje zlecenie przelewu |

## Encje

### Klient

| Atrybut | Typ danych | Opis |
| -------------- | -------------- | ------------------------------ |
| idKlienta | String | Unikalny identyfikator klienta |
| daneOsobowe | daneOsobowe | Dane osobowe klienta |
| daneKontaktowe | daneKontatkowe | Dane kontaktowe klienta |
| adres | Adres | Adres zamieszkania klienta |

### KontoBankowe

| Atrybut | Typ danych | Opis |
| ---------- | ---------- | ---------------------------------------------- |
| idKonta | String | Unikalny identyfikator konta |
| idKlienta | String | Identyfikator klienta, do którego należy konto |
| numerKonta | String | Numer konta bankowego klienta |
| saldo | Decimal | Aktualne saldo konta |

### Przelew

| Atrybut | Typ danych | Opis |
| ------------ | ----------------------------------------- | ---------------------------------------- |
| idPrzelewu | String | Unikalny identyfikator przelewu |
| kwota | KwotaPrzelewu | Kwota oraz waluta przelewu |
| dataZlecenia | DateTime | Data zlecenia przelewu |
| nadawca | KontoBankowe | Konto, z którego wykonywany jest przelew |
| odbiorca | KontoBankowe | Konto, na które wykonany jest przelew |
| tytul | String | Tytuł przelewu podany przez nadawcę |
| status | Enum(Oczekujący, Zrealizowany, Odrzucony) | Status przetwarzania przelewu |

## Obiekty wartości

### Dane osobowe

| Atrybut | Typ danych | Opis |
| -------- | ---------- | ---------------- |
| imie | String | Imię klienta |
| nazwisko | String | Nazwisko klienta |

### Dane kontaktowe

| Atrybut | Typ danych | Opis |
| ------------- | ---------- | --------------------------- |
| email | String | Adres e-mail klienta |
| numerTelefonu | String | Numer telefonu kontaktowego |

### Adres

| Atrybut | Typ danych | Opis |
| ----------- | ---------- | ------------ |
| ulica | String | Nazwa ulicy |
| numerUlicy | String | Numer ulicy |
| miasto | String | Nazwa miasta |
| kodPocztowy | String | Kod pocztowy |
| kraj | String | Nazwa kraju |

### KwotaPrzelewu

| Atrybut | Typ danych | Opis |
| ------- | ------------------------ | ----------------------------------------- |
| wartość | Decimal | Kwota przelewu |
| waluta | Enum(PLN, EUR, USD, ...) | Waluta, w której realizowany jest przelew |

## Model

![alt text](model.png)
4 changes: 4 additions & 0 deletions Python/Flask_Book_Library/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,12 @@ WORKDIR /app
COPY . .

# Instalujemy zależności
RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r requirements.txt

# Gdy testy się nie zakończą się sukcesem obraz się nie zbuduj
RUN pytest -v

# Ustawiamy zmienną środowiskową, aby Flask wiedział, jak uruchomić aplikację
ENV FLASK_APP=app.py
ENV FLASK_RUN_HOST=0.0.0.0
Expand Down
26 changes: 16 additions & 10 deletions Python/Flask_Book_Library/project/books/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from flask import render_template, Blueprint, request, redirect, url_for, jsonify
from markupsafe import escape
from project import db
from project.books.models import Book
from project.books.forms import CreateBook
Expand Down Expand Up @@ -28,23 +29,28 @@ def list_books_json():


# Route to create a new book
@books.route('/create', methods=['POST', 'GET'])
@books.route("/create", methods=["POST", "GET"])
def create_book():
data = request.get_json()

new_book = Book(name=data['name'], author=data['author'], year_published=data['year_published'], book_type=data['book_type'])
new_book = Book(
name=escape(data["name"]),
author=escape(data["author"]),
year_published=escape(data["year_published"]),
book_type=escape(data["book_type"]),
)

try:
# Add the new book to the session and commit to save to the database
db.session.add(new_book)
db.session.commit()
print('Book added successfully')
return redirect(url_for('books.list_books'))
print("Book added successfully")
return redirect(url_for("books.list_books"))
except Exception as e:
# Handle any exceptions, such as database errors
db.session.rollback()
print('Error creating book')
return jsonify({'error': f'Error creating book: {str(e)}'}), 500
print("Error creating book")
return jsonify({"error": f"Error creating book: {str(e)}"}), 500


# Route to update an existing book
Expand All @@ -63,10 +69,10 @@ def edit_book(book_id):
data = request.get_json()

# Update book details
book.name = data.get('name', book.name) # Update if data exists, otherwise keep the same
book.author = data.get('author', book.author)
book.year_published = data.get('year_published', book.year_published)
book.book_type = data.get('book_type', book.book_type)
book.name = escape(data.get('name', book.name)) # Update if data exists, otherwise keep the same
book.author = escape(data.get('author', book.author))
book.year_published = escape(data.get('year_published', book.year_published))
book.book_type = escape(data.get('book_type', book.book_type))

# Commit the changes to the database
db.session.commit()
Expand Down
9 changes: 5 additions & 4 deletions Python/Flask_Book_Library/project/customers/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from flask import render_template, Blueprint, request, redirect, url_for, jsonify
from markupsafe import escape
from project import db
from project.customers.models import Customer

Expand Down Expand Up @@ -35,7 +36,7 @@ def create_customer():
print('Invalid form data')
return jsonify({'error': 'Invalid form data'}), 400

new_customer = Customer(name=data['name'], city=data['city'], age=data['age'])
new_customer = Customer(name=escape(data['name']), city=escape(data['city']), age=escape(data['age']))

try:
# Add the new customer to the session and commit to save to the database
Expand Down Expand Up @@ -85,9 +86,9 @@ def edit_customer(customer_id):
data = request.form

# Update customer details
customer.name = data['name']
customer.city = data['city']
customer.age = data['age']
customer.name = escape(data['name'])
customer.city = escape(data['city'])
customer.age = escape(data['age'])

# Commit the changes to the database
db.session.commit()
Expand Down
10 changes: 5 additions & 5 deletions Python/Flask_Book_Library/project/loans/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
from flask import render_template, Blueprint, request, redirect, url_for, jsonify
from markupsafe import escape
from project import db
from project.loans.models import Loan
from project.loans.forms import CreateLoan
from project.books.models import Book
from project.customers.models import Customer


# Blueprint for loans
loans = Blueprint('loans', __name__, template_folder='templates', url_prefix='/loans')

Expand Down Expand Up @@ -51,10 +51,10 @@ def create_loan():
if request.method == 'POST':

# Process form submission
customer_name = form.customer_name.data
book_name = form.book_name.data
loan_date = form.loan_date.data
return_date = form.return_date.data
customer_name = escape(form.customer_name.data)
book_name = escape(form.book_name.data)
loan_date = escape(form.loan_date.data)
return_date = escape(form.return_date.data)

# Check if the book is available
book = Book.query.filter_by(name=book_name, status='available').first()
Expand Down
18 changes: 18 additions & 0 deletions Python/Flask_Book_Library/project/tests/test_xss.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
from markupsafe import escape
import pytest


def test_escape_normal_text():
assert escape("Hello world") == "Hello world"


def test_escape_empty_string():
assert escape("") == ""


def test_escape_safe_html():
assert escape("<b>bold</b>") == "&lt;b&gt;bold&lt;/b&gt;"


def test_escape_script_tag():
assert escape("<script>alert('XSS')</script>") == "&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;"
1 change: 1 addition & 0 deletions Python/Flask_Book_Library/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ SQLAlchemy==2.0.21
typing_extensions==4.8.0
Werkzeug==2.3.7
WTForms==3.0.1
pytest==8.4.2
Binary file added model.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.