Skip to content

RED-1930 mitigations#483

Merged
dpinney-nreca merged 15 commits intonreca-bts:masterfrom
ASC95:master
Apr 8, 2026
Merged

RED-1930 mitigations#483
dpinney-nreca merged 15 commits intonreca-bts:masterfrom
ASC95:master

Conversation

@ASC95
Copy link
Copy Markdown
Contributor

@ASC95 ASC95 commented Apr 8, 2026

Added changes to secure filenames identified in RED-1930 report. Made minor style changes to make certain functions more obviously module-private, removed GET requests from a few routes that should be POST only and updated callers, added CSRF token to feeder map editor, reordered the /unqiqObjName route.

ASC95 added 15 commits September 3, 2025 03:14
@ASC95
Ensure that GeoJSON polygons always render beneath circuit objects
6eebd02
@ASC95
Merge branch 'nreca-bts:master' into master
ef7f938
@ASC95
When the GridLAB-D solver is used, it writes each key-value pair in t…
cb81fda 
…he 'attachments' key of the .omd to its own file. The value of this key-value pair must be a string, or <file>.write() raises an Exception. Normally, every value is a string. However, the 'geojsonFiles' key has a dict as its value. Converting the value to a str() will have no impact on existing code but will prevent an exception from being raised if the GridLAB-D solver is run on an .omd file that contains the 'geojsonFiles' key.
@ASC95
Merge branch 'nreca-bts:master' into master
49fb205
@ASC95
Merge branch 'master' of github.com:ASC95/omf
bade42f
@ASC95
Merge branch 'master' of github.com:ASC95/omf
46659b3
@ASC95
Merge branch 'master' of github.com:ASC95/omf
04a69e7
@ASC95
Merge branch 'nreca-bts:master' into master
06eed4b
@ASC95
web.py - rename module-private functions to have leading underscore a…
c408d28 
…ccording to python convention
@ASC95
web.py - /newModel changes the server state, therefore it should be l…
f96fd2a 
…imited to POST requests. This reduces the attack surface in web.py

forecastTool.html - update call to /newModel to use POST request
test_accessControl.py - update call to /newModel to use POST request
@ASC95
web.py - rename additional module-private functions to have leading u…
4cdb5c3 
…nderscore according to python convention
@ASC95
modalFeatures.js - update /renameFeeder calls from GET to POST
2975f2a 
clusterLogin.html - update /forgotPassword call from GET to POST
distNetViz.html - update /renameFeeder calls from GET to POST
web.py - reduce overall attack surface by strictly limiting web routes to their correct HTTP methods. E.g. sever-changing operations should always use POST so attackers can't attack a route through an <img> tag
@ASC95
featureController.js - added CSRF token to ajax call
201379a
@ASC95
modalFeatures.js & distNetViz.html & distText.html & gridEdit.thml & …
d0f617b 
…transEdit.html & web.py - switch ordering of /uniqObjName modelName and name parameters because semantically the modelName should always come before the name of a file within the model directory
@ASC95
web.py - added secure_filename() to CWE-22 vulnerabilities identified…
2622935 
… in RED-1930 report
@dpinney-nreca dpinney-nreca merged commit d20086a into nreca-bts:master Apr 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dpinney-nreca dpinney-nreca dpinney-nreca approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ASC95 @dpinney-nreca