Improve extensions + submissions autocomplete (#1532)

damianhxy · web-flow · commit 64e7e5c8fd46 · 2022-06-05T21:57:26.000-04:00
* Apply cg2v/Autolab@057493b * Apply cg2v/Autolab@752a44f * Prevent XSS * Remove html_safe * Handle differences in base 64 encoding * Add semicolon * Remove extraneous help-blocks * Update form style * Standardize submissions autocomplete * Fix gradebook xss * Extract backend autocomplete logic * Extract frontend autocomplete logic * Prevent email XSS * Refactor autocomplete partial * Escape HTML in flash * Fix roster csv * urlsafe_encode64 -> strict_encode64 * Remove sanitize * Add informative comments * Rename common to components * Shift method to Course model
diff --git a/app/controllers/courses_controller.rb b/app/controllers/courses_controller.rb
@@ -279,9 +279,9 @@ def download_roster
     output = ""
     @cuds.each do |cud|
       user = cud.user
-      output += "#{@course.semester},#{cud.user.email},#{user.last_name},#{user.first_name}," \
-                "#{cud.school},#{cud.major},#{cud.year},#{cud.grade_policy}," \
-                "#{cud.lecture},#{cud.section}\n"
+      # to_csv avoids issues with commas
+      output += [@course.semester, cud.user.email, user.last_name, user.first_name, cud.school,
+                 cud.major, cud.year, cud.grade_policy, cud.lecture, cud.section].to_csv
     end
     send_data output, filename: "roster.csv", type: "text/csv", disposition: "inline"
   end
diff --git a/app/controllers/extensions_controller.rb b/app/controllers/extensions_controller.rb
@@ -14,12 +14,7 @@ class ExtensionsController < ApplicationController
   action_auth_level :index, :instructor
   def index
     @extensions = @assessment.extensions.includes(:course_user_datum)
-    @users = {}
-    @usersEncoded = {}
-    @course.course_user_data.each do |cud|
-      @users[cud.full_name_with_email] = cud.id
-      @usersEncoded[Base64.encode64(cud.full_name_with_email.strip).strip] = cud.id
-    end
+    @users, @usersEncoded = @course.get_autocomplete_data
     @new_extension = @assessment.extensions.new
   end
 
diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
@@ -35,11 +35,7 @@ def new
         render([@course, @assessment, :submissions]) && return
       end
     else
-      @cuds = {}
-      # TODO: change order
-      @course.course_user_data.joins(:user).order("email ASC").each do |cud|
-        @cuds[cud.full_name_with_email] = cud.id
-      end
+      @users, @usersEncoded = @course.get_autocomplete_data
     end
   end
 
diff --git a/app/form_builders/form_builder_with_date_time_input.rb b/app/form_builders/form_builder_with_date_time_input.rb
@@ -126,16 +126,19 @@ def date_helper(name, options, strftime, date_format, alt_format)
     wrap_field name, field, options[:help_text]
   end
 
-  def wrap_field(name, field, help_text, display_name = nil)
-
+  def wrap_field(name, field, help_text = nil, display_name = nil)
     @template.content_tag :div, class: "input-field" do
       label(name, display_name, class: "control-label") +
          field + help_text(name, help_text)
     end
   end
 
   def help_text(_name, help_text)
-    @template.content_tag :p, help_text, class: "help-block"
+    if help_text.nil?
+      ""
+    else
+      @template.content_tag :p, help_text, class: "help-block"
+    end
   end
 
   def objectify_options(options)
diff --git a/app/helpers/gradebook_helper.rb b/app/helpers/gradebook_helper.rb
@@ -71,11 +71,12 @@ def gradebook_rows(matrix, course, section = nil, lecture = nil)
       grace_days = 0
       late_days = 0
 
+      # CGI.escapeHTML to avoid XSS
       row["id"] = cud.id
-      row["email"] = cud.user.email
+      row["email"] = CGI.escapeHTML cud.user.email
       row["student_gradebook_link"] = sgb_link
-      row["first_name"] = cud.user.first_name
-      row["last_name"] = cud.user.last_name
+      row["first_name"] = CGI.escapeHTML cud.user.first_name
+      row["last_name"] = CGI.escapeHTML cud.user.last_name
       row["section"] = cud.section
 
       # TODO: formalize score render stack, consolidate with computed score
diff --git a/app/models/course.rb b/app/models/course.rb
@@ -267,6 +267,20 @@ def asmts_before_date(date)
     asmts.where("due_at < ?", date)
   end
 
+  # Used by manage extensions and create submission
+  def get_autocomplete_data
+    users = {}
+    usersEncoded = {}
+    course_user_data.each do |cud|
+      # Escape once here, and another time in _autocomplete.html.erb (see comments)
+      users[CGI.escapeHTML cud.full_name_with_email] = cud.id
+      # base64 to avoid issues where leading / trailing whitespaces are stripped (see #931)
+      # strict_encode64 to avoid line feeds
+      usersEncoded[Base64.strict_encode64(cud.full_name_with_email.strip).strip] = cud.id
+    end
+    [users, usersEncoded]
+  end
+
 private
 
   def saved_change_to_grade_related_fields?
diff --git a/app/views/components/_autocomplete.html.erb b/app/views/components/_autocomplete.html.erb
@@ -0,0 +1,33 @@
+<script type="application/javascript">
+  /* requires @usersEncoded and @users to be set, i.e. via retrieve_autocompletion_data! */
+  jQuery(function() {
+    /* match user name/email with cud_id */
+    /* escape_javascript prevents issues with backslashes in names, etc. */
+    userData = {
+      <% @usersEncoded.each do |k,v| %>
+        "<%= j k %>": "<%= v %>",
+      <% end %>
+    };
+
+    /* user autocomplete */
+    $studentAutocompleteField = $('#student_autocomplete');
+    $hiddenCUDField = $('<%= hiddenCUDField %>');
+    /* note that the names were already escaped once in retrieve_autocompletion_data! */
+    /* and now, each name (k) is implicitly escaped a second time */
+    /* this is desired behavior since autocomplete unescapes once */
+    $studentAutocompleteField.autocomplete({
+      data: {
+        <% @users.each do |k,v| %>
+          "<%= j k %>": null,
+        <% end %>
+      }
+    });
+
+    /* track changes in student autocomplete field */
+    $studentAutocompleteField.on('change', function() {
+      /* $studentAutocompleteField.val() unescapes a second time */
+      encoded = window.btoa($studentAutocompleteField.val())
+      $hiddenCUDField.val(userData[encoded]);
+    });
+  });
+</script>
diff --git a/app/views/extensions/index.html.erb b/app/views/extensions/index.html.erb
@@ -1,32 +1,9 @@
 <% @title = "Manage Extensions" %>
 
 <% content_for :javascripts do %>
-
+  <%= render partial: "components/autocomplete", locals: { hiddenCUDField: "#extension_course_user_datum_id" } %>
   <script type="application/javascript">
     jQuery(function() {
-      /* match user name/email with cud_id */
-      userData = {
-        <% @usersEncoded.each do |k,v| %>
-          "<%= k %>": "<%= v %>",
-        <% end %>
-      };
-
-      /* user autocomplete */
-      $studentAutocompleteField = $('#student_autocomplete');
-      $hiddenCUDField = $('#extension_course_user_datum_id');
-      $studentAutocompleteField.autocomplete({
-        data: {
-          <% @users.each do |k,v| %>
-            "<%= k %>": null,
-          <% end %>
-        }
-      });
-
-      /* track changes in student autocomplete field */
-      $studentAutocompleteField.on('change', function() {
-        $hiddenCUDField.val(userData[window.btoa($studentAutocompleteField.val())]);
-      })
-
       /* set up dates */
       $dueDate = moment("<%= @assessment.due_at.to_s %>", "YYYY-MM-DD hh:mm:ss ZZ").startOf('day');
 
@@ -102,9 +79,8 @@
     <p><b>Create New Extension</b></p>
       <%= form_for @new_extension, :as=>"extension", :url=>{:action=>"create"}, builder: FormBuilderWithDateTimeInput do |f| %>
         <div class="input-field">
-          <label class="control-label active" for="student_autocomplete">Student Name/Email</label>
-          <input type="text" id="student_autocomplete" placeholder="Start typing student name or email" class="autocomplete" autocomplete="off">
-          <p class="help-block"></p>
+          <input type="text" size="3" id="student_autocomplete" class="autocomplete" autocomplete="off"/>
+          <label for="student_autocomplete">Start typing student name or email</label>
         </div>
         <p>Select a new due date (Currently due at: <span class="moment-date-time"><%= @assessment.due_at.to_s %></span>)</p>
         <%= f.date_select :due_at, greater_than: @assessment.due_at, id: "extension_due_at" %><br>
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -68,14 +68,15 @@
 
         <!-- Flashes -->
         <div id="flashes">
+          <!-- Ruby escapes msg by default, no need for sanitization -->
           <% flash.each do |name, msg| %>
             <% if name == "roster_error" %>
               <div class="error" id="flash_error">
                 <%= render :partial=>'courses/uploadError',
                             locals: {roster_errors: msg} %>
               </div>
             <% else %>
-              <%= content_tag :div, sanitize(msg), id: "flash_#{name}",
+              <%= content_tag :div, msg, id: "flash_#{name}",
                   class: "#{name}" %>
             <% end %>
           <% end %>
diff --git a/app/views/layouts/home.html.erb b/app/views/layouts/home.html.erb
@@ -45,9 +45,10 @@
 
         <!-- Flashes -->
         <div id="flashes">
+          <!-- Ruby escapes msg by default, no need for sanitization -->
           <% flash.each do |name, msg| %>
-          <%= content_tag :div, sanitize(msg), id: "flash_#{name}",
-  					 	class: "#{name}" %>
+            <%= content_tag :div, msg, id: "flash_#{name}",
+                class: "#{name}" %>
           <% end %>
 
           <noscript>
diff --git a/app/views/submissions/new.html.erb b/app/views/submissions/new.html.erb
@@ -1,29 +1,5 @@
 <% content_for :javascripts do %>
-  <script type="application/javascript">
-    jQuery(function() {
-      userData = {
-        <% @cuds.each do |k,v| %>
-          "<%= k %>": "<%= v %>",
-        <% end %>
-      };
-
-      /* user autocomplete */
-      $studentAutocompleteField = $('#student_autocomplete');
-      $hiddenCUDField = $('#submission_course_user_datum_id');
-      $studentAutocompleteField.autocomplete({
-        data: {
-          <% @cuds.each do |k,v| %>
-            "<%= k %>": null,
-          <% end %>
-        }
-      });
-
-      /* track changes in student autocomplete field */
-      $studentAutocompleteField.on('change', function() {
-        $hiddenCUDField.val(userData[$studentAutocompleteField.val()]);
-      })
-    });
-  </script>
+  <%= render partial: "components/autocomplete", locals: { hiddenCUDField: "#submission_course_user_datum_id" } %>
 <% end %>
 
 <h2>Create Submission for <%= link_to @assessment.display_name, [@course, @assessment] %> </h2>
