Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Fix XSS validation and separate URL validation #10424

Merged
merged 4 commits into from
Aug 16, 2024
Merged

fix(core): Fix XSS validation and separate URL validation #10424

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cfb719e
refactor(core): Improve XSS validator
ivov Aug 15, 2024
55acdc4
Merge branch 'master' into pay-1845-improve-xss-validator
ivov Aug 16, 2024
ba5645b
Extract URL validation from `NoXss` validator
ivov Aug 16, 2024
2b5bac0
Apply new decorator
ivov Aug 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions packages/cli/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@
"reflect-metadata": "0.2.2",
"replacestream": "4.0.3",
"samlify": "2.8.9",
"sanitize-html": "2.12.1",
"semver": "7.5.4",
"shelljs": "0.8.5",
"simple-git": "3.17.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/cli/src/GenericHelpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import type {
UserUpdatePayload,
} from '@/requests';
import { BadRequestError } from './errors/response-errors/bad-request.error';
import { NoXss } from './databases/utils/customValidators';
import { NoXss } from '@/databases/utils/no-xss.validator';

export async function validateEntity(
entity:
Expand Down
2 changes: 1 addition & 1 deletion packages/cli/src/databases/entities/User.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import { IsEmail, IsString, Length } from 'class-validator';
import type { IUser, IUserSettings } from 'n8n-workflow';
import type { SharedWorkflow } from './SharedWorkflow';
import type { SharedCredentials } from './SharedCredentials';
import { NoXss } from '../utils/customValidators';
import { NoXss } from '@db/utils/no-xss.validator';
import { objectRetriever, lowerCaser } from '../utils/transformers';
import { WithTimestamps, jsonColumnType } from './AbstractEntity';
import type { IPersonalizationSurveyAnswers } from '@/Interfaces';
Expand Down
43 changes: 0 additions & 43 deletions packages/cli/src/databases/utils/__tests__/customValidators.test.ts
View file
Open in desktop

This file was deleted.

70 changes: 70 additions & 0 deletions packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
import { NoXss } from '../no-xss.validator';
import { validate } from 'class-validator';

describe('NoXss', () => {
class Entity {
@NoXss()
name = '';

@NoXss()
timestamp = '';

@NoXss()
version = '';
}

const entity = new Entity();

describe('Scripts and URLs', () => {
const MALICIOUS_STRINGS = ['http://google.com', '<script src/>', 'www.domain.tld'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also <script>alert('xss')</script>?


for (const str of MALICIOUS_STRINGS) {
test(`should block ${str}`, async () => {
entity.name = str;
const [error] = await validate(entity);
expect(error.property).toEqual('name');
expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
});
}
});

describe('Names', () => {
const VALID_NAMES = [
'Johann Strauß',
'Вагиф Сәмәдоғлу',
'René Magritte',
'সুকুমার রায়',
'མགོན་པོ་རྡོ་རྗེ།',
'عبدالحليم حافظ',
];

for (const name of VALID_NAMES) {
test(`should allow ${name}`, async () => {
entity.name = name;
expect(await validate(entity)).toBeEmptyArray();
});
}
});

describe('ISO-8601 timestamps', () => {
const VALID_TIMESTAMPS = ['2022-01-01T00:00:00.000Z', '2022-01-01T00:00:00.000+02:00'];

for (const timestamp of VALID_TIMESTAMPS) {
test(`should allow ${timestamp}`, async () => {
entity.timestamp = timestamp;
await expect(validate(entity)).resolves.toBeEmptyArray();
});
}
});

describe('Semver versions', () => {
const VALID_VERSIONS = ['1.0.0', '1.0.0-alpha.1'];

for (const version of VALID_VERSIONS) {
test(`should allow ${version}`, async () => {
entity.version = version;
await expect(validate(entity)).resolves.toBeEmptyArray();
});
}
});
});
18 changes: 0 additions & 18 deletions packages/cli/src/databases/utils/customValidators.ts
View file
Open in desktop

This file was deleted.

32 changes: 32 additions & 0 deletions packages/cli/src/databases/utils/no-xss.validator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this file be somewhere else than under @/databases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, not sure why but it has been like this since forever. Changed.

import { registerDecorator, ValidatorConstraint } from 'class-validator';
import sanitizeHtml from 'sanitize-html';

const URL_REGEX = /^(https?:\/\/|www\.)/i;

@ValidatorConstraint({ name: 'NoXss', async: false })
class NoXssConstraint implements ValidatorConstraintInterface {
validate(value: string) {
const sanitized = sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });

if (sanitized !== value) return false;

return !URL_REGEX.test(value);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like this should be a separate validator. Having a URL is not a XSS. I guess for backwards compat we could then include that validator also in places that are currently using the NoXss, if they need that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree! Not sure why it was ever included.

}

defaultMessage() {
return 'Potentially malicious string';
}
}

export function NoXss(options?: ValidationOptions) {
return function (object: object, propertyName: string) {
registerDecorator({
name: 'NoXss',
target: object.constructor,
propertyName,
options,
validator: NoXssConstraint,
});
};
}
2 changes: 1 addition & 1 deletion packages/cli/src/requests.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import type {

import { Expose } from 'class-transformer';
import { IsBoolean, IsEmail, IsIn, IsOptional, IsString, Length } from 'class-validator';
import { NoXss } from '@db/utils/customValidators';
import { NoXss } from '@db/utils/no-xss.validator';
import type { PublicUser, SecretsProvider, SecretsProviderState } from '@/Interfaces';
import { AssignableRole } from '@db/entities/User';
import type { GlobalRole, User } from '@db/entities/User';
Expand Down
21 changes: 12 additions & 9 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.