Validate Template Preview Data

The user data, (first line of parsed input data), used for the template content validation and preview, validated (sanitized) by IntelMQ before using it for the template preview, otherwise syntactically incorrect values could lead to PostgreSQL errors. Invalid fields are ignored and replaced by example data.

CHANGELOG.md

@@ -2,6 +2,13 @@ CHANGELOG
 =========
 
 
+1.2.2: Validate Template Preview Data (2023-09-12)
+--------------------------------------------------
+
+## Backend
+- The user data, (first line of parsed input data), used for the template content validation and preview, validated (sanitized) by IntelMQ before using it for the template preview, otherwise syntactically incorrect values could lead to PostgreSQL errors. Invalid fields are ignored and replaced by example data.
+
+
 1.2.1: UI Corrections (2023-09-12)
 ----------------------------------
 

client/src/components/WebinputCSV.vue

@@ -827,7 +827,7 @@ export default ({
       errorMessage: null,
       showErrorModal: false,
       mailgenTargetGroups: [],
-      clientVersion: "1.2.1",
+      clientVersion: "1.2.2",
       templateDeletionModal: false,
       templateToDelete: {'index': null, 'template_name': null},
       mailgenTemplate: '',
@@ -1438,13 +1438,15 @@ export default ({
     previewMailgenTemplate(showDialog=false) {
       this.mailgenInProgress = true;
       this.mailgenLog = '';
+      let previewData = this.csvToArray(1);
+      previewData = previewData.length ? previewData[0] : {};
       this.$http.post('api/mailgen/preview',
           {
             template: this.mailgenTemplate,
             verbose: this.mailgenVerbose,
             dry_run: this.mailgenDryRun,
             assigned_columns: this.tableHeaderFlat,
-            data: this.csvToArray(1),
+            data: previewData,
             })
         .then(response => {
           this.mailgenInProgress = false;

debian/changelog

@@ -1,3 +1,9 @@
+intelmq-webinput-csv (1.2.2-1) stable; urgency=medium
+
+  * Validate Template Preview Data: The user data, (first line of parsed input data), used for the template content validation and preview, validated (sanitized) by IntelMQ before using it for the template preview, otherwise syntactically incorrect values could lead to PostgreSQL errors. Invalid fields are ignored and replaced by example data.
+
+ -- Sebastian Wagner <swagner@intevation.de>  Tue, 12 Sep 2023 22:06:11 +0200
+
 intelmq-webinput-csv (1.2.1-1) stable; urgency=medium
 
   * Frontend

intelmq_webinput_csv/serve.py

@@ -485,7 +485,14 @@ def mailgen_preview(body, request, response):
 
     format_spec = build_format_spec(body.get('assigned_columns'))
     example_data = EXAMPLE_CERTBUND_EVENT.copy()
-    example_data.update(body.get('data', [{}])[0])
+    user_data = Event()
+    # validate the user data so that we only have syntactically correct values
+    # otherwise the database INSERT may fail because of incorrect types
+    for key, value in body.get('data', {}).items():
+        # we ignore errors here
+        # the goal is to show a template preview and give feedback on the template, not on the data
+        user_data.add(key, value, sanitize=True, overwrite=True, raise_failure=False)
+    example_data.update(user_data)
 
     try:
         mailgen_config = cb.read_configuration(CONFIG.get('mailgen_config_file'))

intelmq_webinput_csv/version.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2017-2018 nic.at GmbH <wagner@cert.at>, 2022-2023 Bundesamt für Sicherheit in der Informationstechnik
 # SPDX-License-Identifier: AGPL-3.0-or-later
-__version_info__ = (1, 2, 1)
+__version_info__ = (1, 2, 2)
 __version__ = '.'.join(map(str, __version_info__))