Fix personal settings XSS/URL test

n8n-io · Aug 16, 2024 · 22606e6 · 22606e6
1 parent 96e222c
commit 22606e6
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/cypress/e2e/33-settings-personal.cy.ts b/cypress/e2e/33-settings-personal.cy.ts
@@ -41,7 +41,7 @@ describe('Personal Settings', () => {
 			cy.getByTestId('personal-data-form').find('input[name="firstName"]').clear().type(name);
 			cy.getByTestId('personal-data-form').find('input[name="lastName"]').clear().type(name);
 			cy.getByTestId('save-settings-button').click();
-			errorToast().should('contain', 'Malicious firstName | Malicious lastName');
+			errorToast().should('contain', 'Potentially malicious string | Potentially malicious string');
 			errorToast().find('.el-notification__closeBtn').click();
 		});
 	});

diff --git a/packages/cli/src/validators/__tests__/no-url.validator.test.ts b/packages/cli/src/validators/__tests__/no-url.validator.test.ts
@@ -10,7 +10,7 @@ describe('NoUrl', () => {
 	const entity = new Entity();
 
 	describe('URLs', () => {
-		const URLS = ['http://google.com', 'www.domain.tld'];
+		const URLS = ['http://google.com', 'www.domain.tld', 'n8n.io'];
 
 		for (const str of URLS) {
 			test(`should block ${str}`, async () => {

diff --git a/packages/cli/src/validators/no-url.validator.ts b/packages/cli/src/validators/no-url.validator.ts
@@ -1,7 +1,7 @@
 import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
 import { registerDecorator, ValidatorConstraint } from 'class-validator';
 
-const URL_REGEX = /^(https?:\/\/|www\.)/i;
+const URL_REGEX = /^(https?:\/\/|www\.)|(\.[\p{L}\d-]+)/iu;
 
 @ValidatorConstraint({ name: 'NoUrl', async: false })
 class NoUrlConstraint implements ValidatorConstraintInterface {