BLT icon indicating copy to clipboard operation
BLT copied to clipboard
verified publisher icon OWASP-BLT

Simplify organization registration form with comprehensive security hardening

Open Copilot opened this issue 3 months ago • 14 comments

Plan: Simplify Organization Registration Form

Based on the issue requirements, I need to create a simplified organization registration form that only requires:

  • Organization name (required)
  • Organization URL (required)
  • Organization logo (required)

Backend validation with comprehensive security hardening:

  • URL format validation (HTTPS only)
  • Company name uniqueness with DB constraint
  • Race condition protection
  • SSRF vulnerability prevention
  • Hardened file upload validation

Implementation Checklist:

  • [x] Update the RegisterOrganizationView POST method to simplify validation
    • [x] Remove optional fields from required validation
    • [x] Keep only name, URL, and logo as required
    • [x] Add URL format validation (removed synchronous HTTP calls)
    • [x] Add company name uniqueness check with improved messaging
    • [x] Improve error messages to be clear and specific
  • [x] Update the register_organization.html template
    • [x] Make only name, URL, and logo required fields
    • [x] Mark other fields as optional (support email, social media, managers)
    • [x] Update UI messaging to reflect simplified requirements
    • [x] Reorganize form sections for better visual hierarchy
  • [x] Security hardening
    • [x] Add atomic transactions to prevent race conditions
    • [x] Add database unique constraint on organization name
    • [x] Handle IntegrityError for constraint violations
    • [x] Remove synchronous HTTP calls from view (server-side validation only)
    • [x] Add SSRF protection using rebuild_safe_url()
    • [x] Harden file upload with PIL validation, size limits (2MB), extension whitelist
    • [x] Generate safe filenames using UUID (no user input)
    • [x] Sanitize and normalize all inputs with max length enforcement
    • [x] Limit manager emails to 10 and validate active users only
    • [x] Add comprehensive error handling and logging
  • [x] Test the changes
    • [x] Updated test to include logo file
    • [x] Updated mock for PIL validation
    • [x] Verified test structure matches new requirements
  • [x] Run security checks
    • [x] CodeQL scanner found no vulnerabilities
    • [x] Created database migration for unique constraint
  • [x] Merge with main branch
    • [x] Resolved conflicts with latest main branch changes
    • [x] Integrated new referral code system for organization invites
    • [x] Preserved all security improvements

Security Improvements

Race Condition Protection

  • Database unique constraint on organization.name
  • Atomic transactions with double-check pattern
  • Proper IntegrityError handling

Input Sanitization

  • All text inputs truncated to model max lengths
  • Whitespace stripped from all fields
  • Manager emails limited to 10 maximum
  • Only active users can be added as managers

SSRF Protection

  • Using rebuild_safe_url() to validate URLs
  • Blocks private IPs (10.x, 172.16.x, 192.168.x)
  • Blocks loopback and link-local addresses
  • DNS safety checks included

File Upload Hardening

  • 2MB size limit enforced
  • Extension whitelist: jpg, jpeg, png, gif only
  • MIME type validation
  • PIL image verification to prevent malicious files
  • UUID-based safe filenames

Rate Limiting

  • Handled by existing ThrottlingMiddleware
  • 50 POST requests per minute per IP

Database Migration

Created 0252_add_unique_org_name_constraint.py to add:

  • Index on organization.name for performance
  • Unique constraint on organization.name

Integration with Main Branch

  • Successfully merged latest main branch changes (107 files)

  • Integrated new organization invite referral system

  • Maintained all security hardening improvements

  • Added support for referral code rewards during organization registration

  • Fixes OWASP-BLT/BLT#2517

Original prompt

This section details on the original issue you should resolve

<issue_title>Create a form field to add an organization name and url is all that is required also logo. - the backend will check the URL and existence of the company name before posting it</issue_title> <issue_description>

0 https://blt.owasp.org/issue/2969 found by Anonymous at url: http://blt.owasp.org</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes OWASP-BLT/BLT#2517

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Nov 15 '25 22:11 Copilot