Fix/stored xss

[RachHavoc]

Description

Adds server-side input validation for the technique_name field in AbilityApiManager._validate_ability_data.

Previously, technique_name was accepted as an unconstrained string while id and tactic
were both validated against an alphanumeric allowlist. This inconsistency allowed HTML/script
characters to be stored via POST /api/v2/abilities and PUT /api/v2/abilities/{id},
contributing to a stored XSS vulnerability in the Debrief plugin's technique graph.

A regex allowlist (^[a-zA-Z0-9\s\-_()/.,&:]+$) is applied to technique_name on write,
rejecting values containing < > " ' ; while accepting all legitimate ATT&CK technique names.

Related to: fix/technique-name-xss in mitre/debrief.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

• Confirmed POST /api/v2/abilities with technique_name containing HTML (e.g.
  "><img src=x onerror=alert(1)>) now returns HTTP 400.
• Verified the following legitimate ATT&CK technique names are accepted without issue:
  • Command and Scripting Interpreter
  • OS Credential Dumping: /etc/passwd and /etc/shadow
  • Exploitation for Privilege Escalation
  • Man-in-the-Middle
• Confirmed existing abilities with valid technique names load and update correctly.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[azure-pipelines]

Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.

[azure-pipelines]

Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.

[azure-pipelines]

Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud