CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.

Also check the challenge argument’s presence before using it. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2026-06-21 21:32:29 +08:00 · 2020-05-12 20:55:22 -07:00 · 2020-05-12 20:55:22 -07:00 · 87f7874a79
commit 87f7874a79
parent a0a7170f48
2 changed files with 17 additions and 3 deletions
--- a/zerver/webhooks/dropbox/tests.py
+++ b/zerver/webhooks/dropbox/tests.py
@ -20,8 +20,13 @@ class DropboxHookTests(WebhookTestCase):
    def test_verification_request(self) -> None:
        self.subscribe(self.test_user, self.STREAM_NAME)
        get_params = {'stream_name': self.STREAM_NAME,
-                      'challenge': '9B2SVL4orbt5DxLMqJHI6pOTipTqingt2YFMIO0g06E',
                      'api_key': get_api_key(self.test_user)}
        result = self.client_get(self.url, get_params)
+        self.assert_json_error(result, "Missing 'challenge' argument", 400)

+        get_params['challenge'] = '9B2SVL4orbt5DxLMqJHI6pOTipTqingt2YFMIO0g06E'
+        result = self.client_get(self.url, get_params)
+
+        self.assertEqual(result.status_code, 200)
+        self.assertEqual(result["Content-Type"], "text/plain; charset=UTF-8")
        self.assert_in_response('9B2SVL4orbt5DxLMqJHI6pOTipTqingt2YFMIO0g06E', result)
--- a/zerver/webhooks/dropbox/view.py
+++ b/zerver/webhooks/dropbox/view.py
@ -1,6 +1,9 @@
+from typing import Optional
+
 from django.http import HttpRequest, HttpResponse

 from zerver.decorator import api_key_only_webhook_view, has_request_variables
+from zerver.lib.request import REQ, RequestVariableMissingError
 from zerver.lib.response import json_success
 from zerver.lib.webhooks.common import check_send_webhook_message
 from zerver.models import UserProfile
@ -8,11 +11,17 @@ from zerver.models import UserProfile

@api_key_only_webhook_view('Dropbox', notify_bot_owner_on_invalid_json=False)
@has_request_variables
-def api_dropbox_webhook(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:
+def api_dropbox_webhook(
+    request: HttpRequest,
+    user_profile: UserProfile,
+    challenge: Optional[str]=REQ(default=None),
+) -> HttpResponse:
    if request.method == 'POST':
        topic = 'Dropbox'
        check_send_webhook_message(request, user_profile, topic,
                                   "File has been updated on Dropbox!")
        return json_success()
    else:
-        return HttpResponse(request.GET['challenge'])
+        if challenge is None:
+            raise RequestVariableMissingError("challenge")
+        return HttpResponse(challenge, content_type="text/plain; charset=UTF-8")