Merge commit from fork

The default `Content-Type` for `HttpResponse` is `text/html`, so an attacker can create a label a `<script>` tag inside its name, generate a quality report, and give a direct link to the `/data` endpoint to a victim user, causing the script to execute with that user's permission.
cvat-ai · Sep 20, 2024 · 75c3d57 · 75c3d57
1 parent 0bf45fd
commit 75c3d57
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/changelog.d/20240916_144227_roman_xss_quality_report.md b/changelog.d/20240916_144227_roman_xss_quality_report.md
@@ -0,0 +1,4 @@
+### Security
+
+- Fixed an XSS vulnerability in the quality report data endpoint
+  (<https://github.com/cvat-ai/cvat/security/advisories/GHSA-2c85-39cc-2px9>)
diff --git a/cvat/apps/quality_control/views.py b/cvat/apps/quality_control/views.py
@@ -329,7 +329,7 @@ def create(self, request, *args, **kwargs):
     def data(self, request, pk):
         report = self.get_object()  # check permissions
         json_report = qc.prepare_report_for_downloading(report, host=get_server_url(request))
-        return HttpResponse(json_report.encode())
+        return HttpResponse(json_report.encode(), content_type="application/json")
 
 
 @extend_schema(tags=["quality"])