Fix CodeQL security alerts across the codebase

- Add permissions: contents: read to CI and static workflows
- Use sandboxed Django template Engine for mailing templates (SSTI)
- Sanitize file paths in fix_success_story_images command (path injection)
- Validate redirect URL path in MediaMigrationView (open redirect)
- Use textContent instead of innerHTML in font demo (DOM XSS)
- Validate image src URLs in sponsor application form (DOM XSS)
- Validate select value is relative URL in event detail (DOM XSS)
- Dismiss SHA1 alert as won't-fix (PyCon API requirement)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JacobCoffee

.github/workflows/ci.yml

@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   migrations:
     if: github.event_name != 'push' || github.event.repository.fork == true || github.ref == 'refs/heads/main'

.github/workflows/static.yml

@@ -2,6 +2,9 @@ name: Check collectstatic
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   collectstatic:
     if: github.event_name != 'push' || github.event.repository.fork == true || github.ref == 'refs/heads/main'

apps/events/templates/events/event_detail.html

@@ -184,7 +184,10 @@ <h3 class="widget-title">More events in <!-- The current category--><a href="{{
 <script>
 $(function(){
     $('#dataRangeSelect').change(function(e) {
-        window.location = $(this).val();
+        var url = $(this).val();
+        if (url && url.charAt(0) === '/') {
+            window.location = url;
+        }
     });
 });
 </script>

apps/mailing/forms.py

@@ -1,7 +1,7 @@
 """Forms for the mailing app."""
 
 from django import forms
-from django.template import Context, Template, TemplateSyntaxError
+from django.template import Context, TemplateSyntaxError
 
 from apps.mailing.models import BaseEmailTemplate
 
@@ -13,7 +13,7 @@ def clean_content(self):
         """Validate that the content field contains valid Django template syntax."""
         content = self.cleaned_data["content"]
         try:
-            template = Template(content)
+            template = BaseEmailTemplate.template_engine.from_string(content)
             template.render(Context({}))
         except TemplateSyntaxError as e:
             raise forms.ValidationError(e) from e

apps/mailing/models.py

@@ -2,7 +2,7 @@
 
 from django.core.mail import EmailMessage
 from django.db import models
-from django.template import Context, Template
+from django.template import Context, Engine
 from django.urls import reverse
 
 
@@ -33,15 +33,20 @@ def preview_content_url(self):
         url_name = f"admin:{prefix}_preview"
         return reverse(url_name, args=[self.pk])
 
+    template_engine = Engine(
+        builtins=["django.template.defaultfilters"],
+        autoescape=True,
+    )
+
     def render_content(self, context):
-        """Render the email body using the Django template engine."""
-        template = Template(self.content)
+        """Render the email body using a sandboxed Django template engine."""
+        template = self.template_engine.from_string(self.content)
         ctx = Context(context)
         return template.render(ctx)
 
     def render_subject(self, context):
-        """Render the email subject using the Django template engine."""
-        template = Template(self.subject)
+        """Render the email subject using a sandboxed Django template engine."""
+        template = self.template_engine.from_string(self.subject)
         ctx = Context(context)
         return template.render(ctx)
 

apps/pages/management/commands/fix_success_story_images.py

@@ -1,5 +1,5 @@
 import re
-from pathlib import Path
+from pathlib import Path, PurePosixPath
 from urllib.parse import urlparse
 
 import requests
@@ -38,19 +38,26 @@ def fix_image(self, path, page):
         img = Image()
         img.page = page
 
-        filename = Path(urlparse(url).path).name
+        # Sanitize filename from URL to prevent path traversal
+        parsed_name = PurePosixPath(urlparse(url).path).name
+        filename = Path(parsed_name).name  # strip any remaining path components
         output_path = page_image_path(img, filename)
 
+        # Ensure output stays within MEDIA_ROOT
+        resolved = Path(output_path).resolve()
+        media_root = Path(settings.MEDIA_ROOT).resolve()
+        if not str(resolved).startswith(str(media_root)):
+            return None
+
         # Make sure our directories exist
-        directory = Path(output_path).parent
-        directory.mkdir(parents=True, exist_ok=True)
+        resolved.parent.mkdir(parents=True, exist_ok=True)
 
         # Write image data to our location
-        with Path(output_path).open("wb") as f:
+        with resolved.open("wb") as f:
             f.write(r.content)
 
         # Re-open the image as a Django File object
-        with Path(output_path).open("rb") as reopen:
+        with resolved.open("rb") as reopen:
             new_file = File(reopen)
             img.image.save(filename, new_file, save=True)
 

apps/sponsors/management/commands/create_pycon_vouchers_for_sponsors.py

@@ -51,7 +51,7 @@ def api_call(uri, query):
 
     headers = {
         "X-API-Key": str(settings.PYCON_API_KEY),
-        "X-API-Signature": str(sha1(base_string.encode("utf-8")).hexdigest()),  # noqa: S324 - API signature, not for security storage
+        "X-API-Signature": str(sha1(base_string.encode("utf-8")).hexdigest()),  # noqa: S324 - required by PyCon API
         "X-API-Timestamp": str(timestamp),
     }
     scheme = "http" if settings.DEBUG else "https"

pydotorg/views.py

@@ -85,6 +85,8 @@ class MediaMigrationView(RedirectView):
     def get_redirect_url(self, *args, **kwargs):
         """Build the S3 redirect URL from the media path."""
         image_path = kwargs["url"]
+        # Sanitize path to prevent open redirect via path traversal
+        image_path = image_path.lstrip("/").replace("../", "")
         if self.prefix:
             image_path = f"{self.prefix}/{image_path}"
         return f"{settings.AWS_S3_ENDPOINT_URL}/{settings.AWS_STORAGE_BUCKET_NAME}/{image_path}"

static/fonts/demo/demo.js

@@ -15,7 +15,7 @@ document.body.addEventListener("click", function(e) {
         testDrive = document.getElementById('testDrive'),
         testText = document.getElementById('testText');
     function updateTest() {
-        testDrive.innerHTML = testText.value || String.fromCharCode(160);
+        testDrive.textContent = testText.value || String.fromCharCode(160);
         if (window.icomoonLiga) {
             window.icomoonLiga(testDrive);
         }

static/js/sponsors/applicationForm.js

@@ -1,5 +1,17 @@
 const DESKTOP_WIDTH_LIMIT = 1200;
 
+function isSafeImageSrc(url) {
+  if (!url) return false;
+  // Allow relative URLs and data URIs for static assets
+  if (url.charAt(0) === '/' || url.indexOf('/static/') === 0) return true;
+  try {
+    var parsed = new URL(url, window.location.origin);
+    return parsed.origin === window.location.origin;
+  } catch (e) {
+    return false;
+  }
+}
+
 $(document).ready(function(){
   const SELECTORS = {
     packageInput:  function() { return $("input[name=package]"); },
@@ -66,7 +78,9 @@ $(document).ready(function(){
         img.setAttribute('data-next-state', src);
       }
 
-      img.setAttribute('src', initImg);
+      if (isSafeImageSrc(initImg)) {
+        img.setAttribute('src', initImg);
+      }
     });
     $(".selected").removeClass("selected");
     $('.custom-fee').hide();
@@ -89,7 +103,9 @@ $(document).ready(function(){
         img.setAttribute('data-next-state', src);
       }
 
-      img.setAttribute('src', initImg);
+      if (isSafeImageSrc(initImg)) {
+        img.setAttribute('src', initImg);
+      }
     });
     $(".selected").removeClass("selected");
 
@@ -166,7 +182,9 @@ function benefitUpdate(benefitId, packageId) {
   const benefitsInputs = Array(...document.querySelectorAll('[data-benefit-id]'));
   const hiddenInput = benefitsInputs.filter((b) => b.getAttribute('data-benefit-id') == benefitId)[0];
   hiddenInput.checked = !hiddenInput.checked;
-  clickedImg.src = newSrc;
+  if (isSafeImageSrc(newSrc)) {
+    clickedImg.src = newSrc;
+  }
 
   // Check if there are any type of customization. If so, display custom-fee label.
   let pkgBenefits = Array(...document.getElementById(`package_benefits_${packageId}`).children).map(div => div.textContent).sort();