Merge pull request #1627 from bertjwregeer/security/jsonp

Add some validation for the JSONP callback

pyramid/renderers.py

@@ -1,6 +1,7 @@
 import contextlib
 import json
 import os
+import re
 
 from zope.interface import (
     implementer,
@@ -23,6 +24,8 @@
 
 from pyramid.events import BeforeRender
 
+from pyramid.httpexceptions import HTTPBadRequest
+
 from pyramid.path import caller_package
 
 from pyramid.response import _get_response_factory
@@ -305,6 +308,8 @@ def default(obj):
 
 json_renderer_factory = JSON() # bw compat
 
+JSONP_VALID_CALLBACK = re.compile(r"^[a-zA-Z_$][0-9a-zA-Z_$]+$")
+
 class JSONP(JSON):
     """ `JSONP <http://en.wikipedia.org/wiki/JSONP>`_ renderer factory helper
     which implements a hybrid json/jsonp renderer.  JSONP is useful for
@@ -385,7 +390,11 @@ def _render(value, system):
             body = val
             if request is not None:
                 callback = request.GET.get(self.param_name)
+
                 if callback is not None:
+                    if not JSONP_VALID_CALLBACK.match(callback):
+                        raise HTTPBadRequest('Invalid JSONP callback function name.')
+
                     ct = 'application/javascript'
                     body = '%s(%s);' % (callback, val)
                 response = request.response

pyramid/tests/test_renderers.py

@@ -688,6 +688,14 @@ def test_render_without_request(self):
         result = renderer({'a':'1'}, {})
         self.assertEqual(result, '{"a": "1"}')
 
+    def test_render_to_jsonp_invalid_callback(self):
+        from pyramid.httpexceptions import HTTPBadRequest
+        renderer_factory = self._makeOne()
+        renderer = renderer_factory(None)
+        request = testing.DummyRequest()
+        request.GET['callback'] = '78mycallback'
+        self.assertRaises(HTTPBadRequest, renderer, {'a':'1'}, {'request':request})
+
 
 class Dummy:
     pass