Merge pull request #449 from kevin-bates/escape-user-input

Escape user input in handlers flagged during code scans

Author: blink1073

examples/simple/simple_ext1/handlers.py

@@ -1,5 +1,6 @@
 from jupyter_server.base.handlers import JupyterHandler
 from jupyter_server.extension.handler import ExtensionHandlerMixin, ExtensionHandlerJinjaMixin
+from jupyter_server.utils import url_escape
 
 class DefaultHandler(ExtensionHandlerMixin, JupyterHandler):
     def get(self):
@@ -19,8 +20,8 @@ def get(self, matched_part=None, *args, **kwargs):
         var1 = self.get_argument('var1', default=None)
         components = [x for x in self.request.path.split("/") if x]
         self.write('<h1>Hello Simple App 1 from Handler.</h1>')
-        self.write('<p>matched_part: {}</p>'.format(matched_part))
-        self.write('<p>var1: {}</p>'.format(var1))
+        self.write('<p>matched_part: {}</p>'.format(url_escape(matched_part)))
+        self.write('<p>var1: {}</p>'.format(url_escape(var1)))
         self.write('<p>components: {}</p>'.format(components))
 
 class BaseTemplateHandler(ExtensionHandlerJinjaMixin, ExtensionHandlerMixin, JupyterHandler): pass

examples/simple/simple_ext2/handlers.py

@@ -1,13 +1,14 @@
 from jupyter_server.base.handlers import JupyterHandler
 from jupyter_server.extension.handler import ExtensionHandlerMixin, ExtensionHandlerJinjaMixin
+from jupyter_server.utils import url_escape
 
 class ParameterHandler(ExtensionHandlerMixin, JupyterHandler):
     def get(self, matched_part=None, *args, **kwargs):
         var1 = self.get_argument('var1', default=None)
         components = [x for x in self.request.path.split("/") if x]
         self.write('<h1>Hello Simple App 2 from Handler.</h1>')
-        self.write('<p>matched_part: {}</p>'.format(matched_part))
-        self.write('<p>var1: {}</p>'.format(var1))
+        self.write('<p>matched_part: {}</p>'.format(url_escape(matched_part)))
+        self.write('<p>var1: {}</p>'.format(url_escape(var1)))
         self.write('<p>components: {}</p>'.format(components))
 
 class BaseTemplateHandler(ExtensionHandlerJinjaMixin, ExtensionHandlerMixin, JupyterHandler): pass

jupyter_server/services/contents/handlers.py

@@ -282,7 +282,7 @@ def get(self, path):
         self.redirect(url_path_join(
             self.base_url,
             'api/contents',
-            path
+            url_escape(path)
         ))
 
     put = patch = post = delete = get