-
Notifications
You must be signed in to change notification settings - Fork 7.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(editor): Validate user info before submiting (#7608)
Validate first and last names before saving them to database. This should prevent security issue with un-sanitized data that ends up in emails. --------- Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
- Loading branch information
1 parent
9b4856e
commit 2064f7f
Showing
4 changed files
with
97 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
import { WorkflowPage } from "../pages"; | ||
|
||
const workflowPage = new WorkflowPage(); | ||
|
||
const INVALID_NAMES = [ | ||
'https://n8n.io', | ||
'http://n8n.io', | ||
'www.n8n.io', | ||
'n8n.io', | ||
'n8n.бг', | ||
'n8n.io/home', | ||
'n8n.io/home?send=true', | ||
'<a href="#">Jack</a>', | ||
'<script>alert("Hello")</script>', | ||
]; | ||
|
||
const VALID_NAMES = [ | ||
['a', 'a'], | ||
['alice', 'alice'], | ||
['Robert', 'Downey Jr.'], | ||
['Mia', 'Mia-Downey'], | ||
['Mark', "O'neil"], | ||
['Thomas', 'Müler'], | ||
['ßáçøñ', 'ßáçøñ'], | ||
['أحمد', 'فلسطين'], | ||
['Милорад', 'Филиповић'], | ||
]; | ||
|
||
describe('Personal Settings', () => { | ||
it ('should allow to change first and last name', () => { | ||
cy.visit('/settings/personal'); | ||
VALID_NAMES.forEach((name) => { | ||
cy.getByTestId('personal-data-form').find('input[name="firstName"]').clear().type(name[0]); | ||
cy.getByTestId('personal-data-form').find('input[name="lastName"]').clear().type(name[1]); | ||
cy.getByTestId('save-settings-button').click(); | ||
workflowPage.getters.successToast().should('contain', 'Personal details updated'); | ||
workflowPage.getters.successToast().find('.el-notification__closeBtn').click(); | ||
}); | ||
}); | ||
it('not allow malicious values for personal data', () => { | ||
cy.visit('/settings/personal'); | ||
INVALID_NAMES.forEach((name) => { | ||
cy.getByTestId('personal-data-form').find('input[name="firstName"]').clear().type(name); | ||
cy.getByTestId('personal-data-form').find('input[name="lastName"]').clear().type(name); | ||
cy.getByTestId('save-settings-button').click(); | ||
workflowPage.getters | ||
.errorToast() | ||
.should('contain', 'Malicious firstName | Malicious lastName'); | ||
workflowPage.getters.errorToast().find('.el-notification__closeBtn').click(); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
packages/cli/test/unit/databases/utils/customValidators.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import { NoXss } from '@db/utils/customValidators'; | ||
import { validate } from 'class-validator'; | ||
|
||
describe('customValidators', () => { | ||
describe('NoXss', () => { | ||
class Person { | ||
@NoXss() | ||
name: string; | ||
} | ||
const person = new Person(); | ||
|
||
const invalidNames = ['http://google.com', '<script src/>', 'www.domain.tld']; | ||
|
||
const validNames = [ | ||
'Johann Strauß', | ||
'Вагиф Сәмәдоғлу', | ||
'René Magritte', | ||
'সুকুমার রায়', | ||
'མགོན་པོ་རྡོ་རྗེ།', | ||
'عبدالحليم حافظ', | ||
]; | ||
|
||
describe('Block XSS', () => { | ||
for (const name of invalidNames) { | ||
test(name, async () => { | ||
person.name = name; | ||
const validationErrors = await validate(person); | ||
expect(validationErrors[0].property).toEqual('name'); | ||
expect(validationErrors[0].constraints).toEqual({ NoXss: 'Malicious name' }); | ||
}); | ||
} | ||
}); | ||
|
||
describe('Allow Valid names', () => { | ||
for (const name of validNames) { | ||
test(name, async () => { | ||
person.name = name; | ||
expect(await validate(person)).toBeEmptyArray(); | ||
}); | ||
} | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters