Fixing synk vulnerability

Author: cherriae

Diff for: app/auth/routes.py

@@ -2,6 +2,7 @@
 
 import asyncio
 from functools import wraps
+import os
 from urllib.parse import urljoin, urlparse
 
 from bson import ObjectId
@@ -90,10 +91,17 @@ def on_blueprint_init(state):
 
 
 def is_safe_url(target):
+    if not target:
+        return False
+    
     ref_url = urlparse(request.host_url)
     test_url = urlparse(urljoin(request.host_url, target))
-    return test_url.scheme in ('http', 'https') and \
-           ref_url.netloc == test_url.netloc
+    
+    return (
+        test_url.scheme in ('http', 'https') and
+        ref_url.netloc == test_url.netloc and
+        not any(c in target for c in ['\\', '//', '..'])
+    )
 
 
 @auth_bp.route("/login", methods=["GET", "POST"])
@@ -118,8 +126,7 @@ async def login():
             next_page = request.args.get('next')
             if not next_page or not is_safe_url(next_page):
                 next_page = url_for('index')
-            else:
-                next_page = url_for(next_page)
+
             flash("Successfully logged in", "success")
             return redirect(next_page)
 
@@ -218,7 +225,7 @@ def profile_picture(user_id):
     """Get user's profile picture"""
     user = user_manager.get_user_by_id(user_id)
     if not user or not user.profile_picture_id:
-        return send_file("static/images/default_profile.png")
+        return send_file(os.path.join(current_app.root_path, "static", "images", "default_profile.png"))
 
     return send_gridfs_file(
         user.profile_picture_id,

Diff for: app/static/js/offline-storage.js

@@ -95,7 +95,15 @@ async function syncPendingRequests() {
 
   for (const request of pendingRequests) {
     try {
-      const response = await fetch(request.url, {
+      const url = new URL(request.url, window.location.origin);
+
+      if (url.origin !== window.location.origin) {
+        console.error(`Invalid URL origin for request ${request.id}`);
+        await offlineStorage.removePendingRequest(request.id);
+        continue;
+      }
+
+      const response = await fetch(url.toString(), {
         method: request.method,
         headers: new Headers(request.headers),
         body: request.body

Diff for: app/static/js/search.js

@@ -91,47 +91,70 @@ document.addEventListener('DOMContentLoaded', function() {
             team.scouting_data.forEach(entry => {
                 const row = document.createElement('tr');
 
-                // Format coral scores as L1/L2/L3/L4
+                const createCell = (content) => {
+                    const td = document.createElement('td');
+                    td.className = 'px-6 py-4 whitespace-nowrap';
+                    if (typeof content === 'string' || typeof content === 'number') {
+                        td.textContent = content;
+                    } else {
+                        td.appendChild(content);
+                    }
+                    return td;
+                };
+
+                // Format scores
                 const autoCoral = `${entry.auto_coral_level1}/${entry.auto_coral_level2}/${entry.auto_coral_level3}/${entry.auto_coral_level4}`;
                 const teleopCoral = `${entry.teleop_coral_level1}/${entry.teleop_coral_level2}/${entry.teleop_coral_level3}/${entry.teleop_coral_level4}`;
-                
-                // Format algae scores as net/processor
                 const autoAlgae = `${entry.auto_algae_net}/${entry.auto_algae_processor}`;
                 const teleopAlgae = `${entry.teleop_algae_net}/${entry.teleop_algae_processor}/${entry.human_player || 0}`;
-                
-                row.innerHTML = `
-                    <td class="px-6 py-4 whitespace-nowrap">${entry.event_code}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${entry.match_number}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${autoCoral}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${autoAlgae}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${teleopCoral}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${teleopAlgae}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">
-                        ${entry.climb_success ? 
-                          `<span class="text-green-600">✓ ${entry.climb_type}</span>` : 
-                          `<span class="text-red-600">✗ ${entry.climb_type || 'Failed'}</span>`}
-                    </td>
-                    <td class="px-6 py-4 whitespace-nowrap">
-                        ${entry.auto_path ? 
-                          `<button onclick="showAutoPath('${entry.auto_path}', '${entry.auto_notes}')" 
-                                   class="text-blue-600 hover:text-blue-900">
-                               View Path
-                           </button>` : 
-                          `<span class="text-gray-400">No path</span>`}
-                    </td>
-                    <td class="px-6 py-4 whitespace-nowrap">${entry.defense_rating}/5</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${entry.notes || ''}</td>
-                    <td class="px-6 py-4 whitespace-nowrap">${entry.scouter_name}</td>
-                `;
+
+                // Create climb status cell
+                const climbSpan = document.createElement('span');
+                climbSpan.className = entry.climb_success ? 'text-green-600' : 'text-red-600';
+                climbSpan.textContent = `${entry.climb_success ? '✓' : '✗'} ${entry.climb_type || 'Failed'}`;
+
+                // Create auto path cell
+                const pathCell = document.createElement('td');
+                pathCell.className = 'px-6 py-4 whitespace-nowrap';
+                if (entry.auto_path) {
+                    const pathButton = document.createElement('button');
+                    pathButton.className = 'text-blue-600 hover:text-blue-900';
+                    pathButton.textContent = 'View Path';
+                    pathButton.addEventListener('click', () => {
+                        showAutoPath(entry.auto_path, entry.auto_notes);
+                    });
+                    pathCell.appendChild(pathButton);
+                } else {
+                    const noPath = document.createElement('span');
+                    noPath.className = 'text-gray-400';
+                    noPath.textContent = 'No path';
+                    pathCell.appendChild(noPath);
+                }
+
+                // Add all cells to the row
+                row.append(
+                    createCell(entry.event_code),
+                    createCell(entry.match_number),
+                    createCell(autoCoral),
+                    createCell(autoAlgae),
+                    createCell(teleopCoral),
+                    createCell(teleopAlgae),
+                    createCell(climbSpan),
+                    pathCell,
+                    createCell(`${entry.defense_rating}/5`),
+                    createCell(entry.notes || ''),
+                    createCell(entry.scouter_name)
+                );
+
                 scoutingTableBody.appendChild(row);
             });
         } else {
             const row = document.createElement('tr');
-            row.innerHTML = `
-                <td colspan="11" class="px-6 py-4 text-center text-gray-500">
-                    No scouting data available for this team
-                </td>
-            `;
+            const cell = document.createElement('td');
+            cell.colSpan = 11;
+            cell.className = 'px-6 py-4 text-center text-gray-500';
+            cell.textContent = 'No scouting data available for this team';
+            row.appendChild(cell);
             scoutingTableBody.appendChild(row);
         }