Rewrite the way that user input is handled

2012-10-17 16:17:52 +02:00 · 2012-10-17 16:17:52 +02:00 · 6311df95e8
parent 5bb5d42d0f
commit 6311df95e8
3 changed files with 41 additions and 47 deletions
--- a/lg.py
+++ b/lg.py
@ -30,11 +30,11 @@ import json
 import random

 from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_cache_pickle, load_cache_pickle, get_asn_from_as, unescape
-from xml.sax.saxutils import escape
+#from xml.sax.saxutils import escape


 import pydot
-from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response
+from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response, Markup

 app = Flask(__name__)
 app.config.from_pyfile('lg.cfg')
@ -58,17 +58,17 @@ def add_links(text):
        # Some heuristic to create link
        if line.strip().startswith("BGP.as_path:") or \
            line.strip().startswith("Neighbor AS:"):
-            ret_text.append(re.sub(r'(\d+)', r'<a href="/whois/\1" class="whois">\1</a>', line))
+            ret_text.append(re.sub(r'(\d+)', r'<a href="/whois?q=\1" class="whois">\1</a>', line))
        else:
-            line = re.sub(r'([a-zA-Z0-9\-]*\.([a-zA-Z]{2,3}){1,2})(\s|$)', r'<a href="/whois/\1" class="whois">\1</a>\3', line)
-            line = re.sub(r'AS(\d+)', r'<a href="/whois/\1" class="whois">AS\1</a>', line)
-            line = re.sub(r'(\d+\.\d+\.\d+\.\d+)', r'<a href="/whois/\1" class="whois">\1</a>', line)
+            line = re.sub(r'([a-zA-Z0-9\-]*\.([a-zA-Z]{2,3}){1,2})(\s|$)', r'<a href="/whois?q=\1" class="whois">\1</a>\3', line)
+            line = re.sub(r'AS(\d+)', r'<a href="/whois?q=\1" class="whois">AS\1</a>', line)
+            line = re.sub(r'(\d+\.\d+\.\d+\.\d+)', r'<a href="/whois?q=\1" class="whois">\1</a>', line)
            if len(request.path) >= 2:
                hosts = "/".join(request.path.split("/")[2:])
            else:
                hosts = "/"
            line = re.sub(r'\[(\w+)\s+((|\d\d\d\d-\d\d-\d\d\s)(|\d\d:)\d\d:\d\d|\w\w\w\d\d)', r'[<a href="/detail/%s?q=\1">\1</a> \2' % hosts, line)
-            line = re.sub(r'(^|\s+)(([a-f\d]{0,4}:){3,10}[a-f\d]{0,4})', r'\1<a href="/whois/\2" class="whois">\2</a>', line, re.I)
+            line = re.sub(r'(^|\s+)(([a-f\d]{0,4}:){3,10}[a-f\d]{0,4})', r'\1<a href="/whois?q=\2" class="whois">\2</a>', line, re.I)
            ret_text.append(line)
    return "\n".join(ret_text)

@ -168,29 +168,26 @@ def hello():


 def error_page(text):
-    return render_template('error.html', error=text), 500
+    return render_template('error.html', errors=[text]), 500


@app.errorhandler(400)
 def incorrect_request(e):
-        return render_template('error.html', warning="The server could not understand the request"), 400
+        return render_template('error.html', warnings=["The server could not understand the request"]), 400


@app.errorhandler(404)
 def page_not_found(e):
-        return render_template('error.html', warning="The requested URL was not found on the server."), 404
+        return render_template('error.html', warnings=["The requested URL was not found on the server."]), 404

-def sanitized(*args):
-    res = tuple( unescape(s) for s in args)
-    if len(args) == 1:
-        return res[0]
-    else:
-        return res
+def get_query():
+    q = unquote(request.args.get('q', '').strip())
+    return q

-@app.route("/whois/<query>")
-def whois(query):
-    query = sanitized(query)
-    if not query.strip():
+@app.route("/whois")
+def whois():
+    query = get_query()
+    if not query:
        abort(400)

    try:
@ -212,13 +209,12 @@ SUMMARY_RE_MATCH = r"(?P<name>[\w_]+)\s+(?P<proto>\w+)\s+(?P<table>\w+)\s+(?P<st
@app.route("/summary/<hosts>")
@app.route("/summary/<hosts>/<proto>")
 def summary(hosts, proto="ipv4"):
-    hosts, proto = sanitized(hosts, proto)

    set_session("summary", hosts, proto, "")
    command = "show protocols"

    summary = {}
-    error = []
+    errors = []
    for host in hosts.split("+"):
        ret, res = bird_command(host, proto, command)
        res = res.split("\n")
@ -235,16 +231,14 @@ def summary(hosts, proto="ipv4"):

            summary[host] = data
        else:
-            error.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))
+            errors.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))

-    return render_template('summary.html', summary=summary, command=command, error="<br>".join(error))
+    return render_template('summary.html', summary=summary, command=command, errors=errors)


@app.route("/detail/<hosts>/<proto>")
 def detail(hosts, proto):
-    name = request.args.get('q', '').strip()
-
-    hosts, proto, name= sanitized(hosts, proto, name)
+    name = get_query()

    if not name:
        abort(400)
@ -253,22 +247,21 @@ def detail(hosts, proto):
    command = "show protocols all %s" % name

    detail = {}
-    error = []
+    errors = []
    for host in hosts.split("+"):
        ret, res = bird_command(host, proto, command)
        res = res.split("\n")
        if len(res) > 1:
            detail[host] = {"status": res[1], "description": add_links(res[2:])}
        else:
-            error.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))
+            errors.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))

-    return render_template('detail.html', detail=detail, command=command, error="<br>".join(error))
+    return render_template('detail.html', detail=detail, command=command, errors=errors)


@app.route("/traceroute/<hosts>/<proto>")
 def traceroute(hosts, proto):
-    q = request.args.get('q', '').strip()
-    hosts, proto, q = sanitized(hosts, proto, q)
+    q = get_query()

    if not q:
        abort(400)
@ -362,12 +355,11 @@ def get_as_number_from_protocol_name(host, proto, protocol):
 def show_bgpmap():
    """return a bgp map in a png file, from the json tree in q argument"""

-    data = request.args.get('q', '').strip()
-    #data = sanitized(data)
+    data = get_query()
    if not data:
        abort(400)

-    data = json.loads(unquote(data))
+    data = json.loads(data)

    graph = pydot.Dot('BGPMAP', graph_type='digraph')

@ -521,8 +513,7 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text):


 def show_route(request_type, hosts, proto):
-    expression = request.args.get('q', '').strip()
-    request_type, hosts, proto, expression = sanitized(request_type, hosts, proto, expression)
+    expression = get_query()
    if not expression:
        abort(400)

@ -569,7 +560,7 @@ def show_route(request_type, hosts, proto):
        command = "show route for " + expression + all

    detail = {}
-    error = []
+    errors = []
    for host in hosts.split("+"):
        ret, res = bird_command(host, proto, command)

@ -580,12 +571,12 @@ def show_route(request_type, hosts, proto):
            else:
                detail[host] = add_links(res)
        else:
-            error.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))
+            errors.append("%s: bird command failed with error, %s" % (host, "\n".join(res)))

    if bgpmap:
        detail = json.dumps(detail)

-    return render_template((bgpmap and 'bgpmap.html' or 'route.html'), detail=detail, command=command, expression=expression, error="<br />".join(error))
+    return render_template((bgpmap and 'bgpmap.html' or 'route.html'), detail=detail, command=command, expression=expression, errors=errors)


 if __name__ == "__main__":
--- a/static/js/lg.js
+++ b/static/js/lg.js
@ -14,7 +14,7 @@ function reload(){
 	loc = "/" + request_type + "/" + hosts + "/" + proto;
 	if (request_type != "summary" ){
 		if( request_args != undefined && request_args != ""){
-			loc = loc + "?q=" + request_args;
+			loc = loc + "?q=" + escape(request_args);
 			change_url(loc)
 		} 
 	} else {
--- a/templates/layout.html
+++ b/templates/layout.html
@ -64,11 +64,15 @@
 		<div class="container-fluid">
 			<div class="row-fluid">
 				<div class="span8">
-					{% if warning %}
-					<div class="alert alert-warning">{{warning|safe}}</div>
+					{% if warnings %}
+					<div class="alert alert-warning">
+                        {% for warning in warnings %}{{warning}}<br />{% endfor %}
+                    </div>
 					{% endif %}
-					{% if error %}
-					<div class="alert alert-error">{{error|safe}}</div>
+					{% if errors %}
+					<div class="alert alert-error">
+						{% for error in errors %}{{error}}<br />{% endfor %}
+                    </div>
 					{% endif %}

 					{% block body %}{% endblock %}
@ -112,12 +116,11 @@
 		</div>
 		<script type="text/javascript" src="{{url_for('static', filename='js/jquery.js') }}"></script>
 		<script type="text/javascript" src="{{url_for('static', filename='js/bootstrap.min.js') }}"></script>
-		<script type="text/javascript" src="{{url_for('static', filename='js/jquery-impromptu.3.2.min.js') }}"></script>
        <script type="text/javascript" src="{{url_for('static', filename='js/jquery.dataTables.js') }}"></script>
        <script type="text/javascript" src="{{url_for('static', filename='js/DT_bootstrap.js') }}"></script>
 		<script type="text/javascript">
 			request_type = "{{session.request_type}}";
-			request_args = "{{session.request_args}}";
+			request_args = "{{session.request_args|safe}}";
 			hosts = "{{session.hosts}}";
 			proto = "{{session.proto}}";
 			history_query = {{session.history|tojson|safe}};