From 5dc12514db085cd27b471051ef1f113f216b7965 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 24 Jan 2026 11:01:15 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20XSS=20risk=20in=20folder=20names?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sanitize folder names from external JSON sources to prevent potential Stored XSS or injection attacks.

🚨 Severity: HIGH
💡 Vulnerability: External blocklists define folder names. Malicious blocklists could include XSS payloads (e.g. `<script>`) in folder names, which might be executed in the ControlD dashboard.
🎯 Impact: Stored XSS leading to potential session hijacking or unauthorized actions on the user's ControlD account.
🔧 Fix: Added `is_valid_folder_name` validator that blocks dangerous characters (`<>\"'`) and ensures folder names are printable strings. Integrated into `validate_folder_data`.
✅ Verification: Added `test_validate_folder_data_sanitizes_names` in `tests/test_security.py`. Verified that XSS payloads are rejected.
---
 main.py                | 25 +++++++++++++++++++++++++
 tests/test_security.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/main.py b/main.py
index c7810580..8451a6ea 100644
--- a/main.py
+++ b/main.py
@@ -273,6 +273,21 @@ def is_valid_rule(rule: str) -> bool:
 
     return True
 
+def is_valid_folder_name(name: str) -> bool:
+    """
+    Validates that a folder name is safe.
+    Rejects potentially dangerous characters (XSS/Injection).
+    """
+    if not name or not name.isprintable():
+        return False
+
+    # Block XSS and injection chars
+    dangerous_chars = set("<>\"'`")
+    if any(c in dangerous_chars for c in name):
+        return False
+
+    return True
+
 def validate_folder_data(data: Dict[str, Any], url: str) -> bool:
     if not isinstance(data, dict):
         log.error(f"Invalid data from {sanitize_for_log(url)}: Root must be a JSON object.")
@@ -286,6 +301,16 @@ def validate_folder_data(data: Dict[str, Any], url: str) -> bool:
     if "group" not in data["group"]:
         log.error(f"Invalid data from {sanitize_for_log(url)}: Missing 'group.group' (folder name).")
         return False
+
+    folder_name = data["group"]["group"]
+    if not isinstance(folder_name, str):
+        log.error(f"Invalid data from {sanitize_for_log(url)}: Folder name must be a string.")
+        return False
+
+    if not is_valid_folder_name(folder_name):
+        log.error(f"Invalid data from {sanitize_for_log(url)}: Folder name contains unsafe characters.")
+        return False
+
     return True
 
 def _api_get(client: httpx.Client, url: str) -> httpx.Response:
diff --git a/tests/test_security.py b/tests/test_security.py
index 579c60d1..c11fd344 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -85,3 +85,33 @@ def test_push_rules_filters_xss_payloads():
     finally:
         main._api_post_form = original_post_form
         main.log = original_log
+
+def test_validate_folder_data_sanitizes_names():
+    """
+    Verify that validate_folder_data rejects unsafe folder names (XSS prevention).
+    """
+    # Mock logger to check error messages
+    mock_log = MagicMock()
+    original_log = main.log
+    main.log = mock_log
+
+    try:
+        # 1. Valid Folder Name
+        valid_data = {"group": {"group": "My Safe Folder"}}
+        assert main.validate_folder_data(valid_data, "https://example.com/valid.json") is True
+
+        # 2. XSS Payload in Folder Name
+        xss_data = {"group": {"group": "<script>alert(1)</script>"}}
+        assert main.validate_folder_data(xss_data, "https://example.com/xss.json") is False
+        assert mock_log.error.called
+
+        # 3. Non-string Folder Name
+        bad_type_data = {"group": {"group": 12345}}
+        assert main.validate_folder_data(bad_type_data, "https://example.com/bad_type.json") is False
+
+        # 4. Dangerous chars (quote)
+        quote_data = {"group": {"group": "Folder \"Bad\""}}
+        assert main.validate_folder_data(quote_data, "https://example.com/quote.json") is False
+
+    finally:
+        main.log = original_log