From 5dea51aad7d9e7ffc676d16f4bbbdecce5876f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= Date: Tue, 20 Aug 2024 20:52:04 +0200 Subject: [PATCH] fix(core): Replace `sanitize-html` with `xss` in XSS validator constraint (#10479) --- packages/cli/package.json | 2 +- .../__tests__/no-xss.validator.test.ts | 14 ++- .../cli/src/validators/no-xss.validator.ts | 9 +- pnpm-lock.yaml | 85 ++++--------------- 4 files changed, 38 insertions(+), 72 deletions(-) diff --git a/packages/cli/package.json b/packages/cli/package.json index 80bf0c4e62..cd03e0e19b 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -155,7 +155,6 @@ "reflect-metadata": "0.2.2", "replacestream": "4.0.3", "samlify": "2.8.9", - "sanitize-html": "2.12.1", "semver": "7.5.4", "shelljs": "0.8.5", "simple-git": "3.17.0", @@ -172,6 +171,7 @@ "ws": "8.17.1", "xml2js": "catalog:", "xmllint-wasm": "3.0.1", + "xss": "^1.0.14", "yamljs": "0.3.0", "zod": "3.22.4" } diff --git a/packages/cli/src/validators/__tests__/no-xss.validator.test.ts b/packages/cli/src/validators/__tests__/no-xss.validator.test.ts index 9972c4c0de..33821787ec 100644 --- a/packages/cli/src/validators/__tests__/no-xss.validator.test.ts +++ b/packages/cli/src/validators/__tests__/no-xss.validator.test.ts @@ -16,7 +16,8 @@ describe('NoXss', () => { const entity = new Entity(); describe('Scripts', () => { - const XSS_STRINGS = ['"]; + // eslint-disable-next-line n8n-local-rules/no-unneeded-backticks + const XSS_STRINGS = ['", `Jack`]; for (const str of XSS_STRINGS) { test(`should block ${str}`, async () => { @@ -69,4 +70,15 @@ describe('NoXss', () => { }); } }); + + describe('Miscellanous strings', () => { + const VALID_MISCELLANEOUS_STRINGS = ['CI/CD']; + + for (const str of VALID_MISCELLANEOUS_STRINGS) { + test(`should allow ${str}`, async () => { + entity.name = str; + await expect(validate(entity)).resolves.toBeEmptyArray(); + }); + } + }); }); diff --git a/packages/cli/src/validators/no-xss.validator.ts b/packages/cli/src/validators/no-xss.validator.ts index 8075309df9..7c65f02dfe 100644 --- a/packages/cli/src/validators/no-xss.validator.ts +++ b/packages/cli/src/validators/no-xss.validator.ts @@ -1,11 +1,16 @@ +import xss from 'xss'; import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator'; import { registerDecorator, ValidatorConstraint } from 'class-validator'; -import sanitizeHtml from 'sanitize-html'; @ValidatorConstraint({ name: 'NoXss', async: false }) class NoXssConstraint implements ValidatorConstraintInterface { validate(value: string) { - return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} }); + return ( + value === + xss(value, { + whiteList: {}, // no tags are allowed + }) + ); } defaultMessage() { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 71b974f669..bae71cb7e1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,9 +6,6 @@ settings: catalogs: default: - '@types/basic-auth': - specifier: ^1.1.3 - version: 1.1.3 '@types/express': specifier: ^4.17.21 version: 4.17.21 @@ -21,15 +18,9 @@ catalogs: '@types/xml2js': specifier: ^0.4.14 version: 0.4.14 - basic-auth: - specifier: 2.0.1 - version: 2.0.1 fast-glob: specifier: 3.2.12 version: 3.2.12 - form-data: - specifier: 4.0.0 - version: 4.0.0 lodash: specifier: 4.17.21 version: 4.17.21 @@ -48,28 +39,6 @@ catalogs: xml2js: specifier: 0.6.2 version: 0.6.2 - frontend: - '@vitest/coverage-v8': - specifier: ^1.6.0 - version: 1.6.0 - vite: - specifier: ^5.2.12 - version: 5.2.12 - vitest: - specifier: ^1.6.0 - version: 1.6.0 - vitest-mock-extended: - specifier: ^1.3.1 - version: 1.3.1 - vue: - specifier: ^3.4.21 - version: 3.4.21 - vue-markdown-render: - specifier: ^2.2.1 - version: 2.2.1 - vue-tsc: - specifier: ^2.0.19 - version: 2.0.19 overrides: '@types/node': ^18.16.16 @@ -652,7 +621,7 @@ importers: version: 1.11.0 axios: specifier: 1.7.3 - version: 1.7.3(debug@3.2.7) + version: 1.7.3(debug@4.3.6) bcryptjs: specifier: 2.4.3 version: 2.4.3 @@ -824,9 +793,6 @@ importers: samlify: specifier: 2.8.9 version: 2.8.9 - sanitize-html: - specifier: 2.12.1 - version: 2.12.1 semver: specifier: ^7.5.4 version: 7.6.0 @@ -875,6 +841,9 @@ importers: xmllint-wasm: specifier: 3.0.1 version: 3.0.1 + xss: + specifier: ^1.0.14 + version: 1.0.14 yamljs: specifier: 0.3.0 version: 0.3.0 @@ -2166,10 +2135,6 @@ packages: resolution: {integrity: sha512-aK4s3Xxjrx3daZr3VylxejK3vG5ExXck5WOHDJ8in/k9AqlfIyFMMT1uG7u8mNjX+QRILTIn0/Xgschfh/dQ9g==} engines: {node: '>=12.0.0'} - '@azure/msal-browser@3.10.0': - resolution: {integrity: sha512-mnmi8dCXVNZI+AGRq0jKQ3YiodlIC4W9npr6FCB9WN6NQT+6rq+cIlxgUb//BjLyzKsnYo+i4LROGeMyU+6v1A==} - engines: {node: '>=0.8.0'} - '@azure/msal-browser@3.19.0': resolution: {integrity: sha512-3unHlh3qWtXbqks/TLq3qGWzxfmwRfk9tXSGvVCcHHnCH5QKtcg/JiDIeP/1B2qFlqnSgtYY0JPLy9EIVoZ7Ag==} engines: {node: '>=0.8.0'} @@ -2178,18 +2143,10 @@ packages: resolution: {integrity: sha512-b4M/tqRzJ4jGU91BiwCsLTqChveUEyFK3qY2wGfZ0zBswIBZjAxopx5CYt5wzZFKuN15HqRDYXQbztttuIC3nA==} engines: {node: '>=0.8.0'} - '@azure/msal-common@14.7.1': - resolution: {integrity: sha512-v96btzjM7KrAu4NSEdOkhQSTGOuNUIIsUdB8wlyB9cdgl5KqEKnTonHUZ8+khvZ6Ap542FCErbnTyDWl8lZ2rA==} - engines: {node: '>=0.8.0'} - '@azure/msal-node@2.11.0': resolution: {integrity: sha512-yNRCp4Do4CGSBe1WXq4DWhfa/vYZCUgGrweYLC5my/6eDnYMt0fYGPHuTMw0iRslQGXF3CecGAxXp7ab57V4zg==} engines: {node: '>=16'} - '@azure/msal-node@2.6.4': - resolution: {integrity: sha512-nNvEPx009/80UATCToF+29NZYocn01uKrB91xtFr7bSqkqO1PuQGXRyYwryWRztUrYZ1YsSbw9A+LmwOhpVvcg==} - engines: {node: '>=16'} - '@azure/storage-blob@12.11.0': resolution: {integrity: sha512-na+FisoARuaOWaHWpmdtk3FeuTWf2VWamdJ9/TJJzj5ZdXPLC3juoDgFs6XVuJIoK30yuBpyFBEDXVRK4pB7Tg==} engines: {node: '>=12.0.0'} @@ -14300,8 +14257,8 @@ snapshots: '@azure/core-tracing': 1.0.1 '@azure/core-util': 1.7.0 '@azure/logger': 1.0.3 - '@azure/msal-browser': 3.10.0 - '@azure/msal-node': 2.6.4 + '@azure/msal-browser': 3.19.0 + '@azure/msal-node': 2.11.0 events: 3.3.0 jws: 4.0.0 open: 8.4.0 @@ -14365,30 +14322,18 @@ snapshots: dependencies: tslib: 2.6.2 - '@azure/msal-browser@3.10.0': - dependencies: - '@azure/msal-common': 14.7.1 - '@azure/msal-browser@3.19.0': dependencies: '@azure/msal-common': 14.13.0 '@azure/msal-common@14.13.0': {} - '@azure/msal-common@14.7.1': {} - '@azure/msal-node@2.11.0': dependencies: '@azure/msal-common': 14.13.0 jsonwebtoken: 9.0.2 uuid: 8.3.2 - '@azure/msal-node@2.6.4': - dependencies: - '@azure/msal-common': 14.7.1 - jsonwebtoken: 9.0.2 - uuid: 8.3.2 - '@azure/storage-blob@12.11.0(encoding@0.1.13)': dependencies: '@azure/abort-controller': 1.1.0 @@ -17204,7 +17149,7 @@ snapshots: '@rudderstack/rudder-sdk-node@2.0.7(tslib@2.6.2)': dependencies: - axios: 1.7.3(debug@3.2.7) + axios: 1.7.3(debug@4.3.6) axios-retry: 3.7.0 component-type: 1.2.1 join-component: 1.1.0 @@ -19400,7 +19345,7 @@ snapshots: agentkeepalive@4.2.1: dependencies: - debug: 4.3.4(supports-color@8.1.1) + debug: 4.3.4 depd: 1.1.2 humanize-ms: 1.2.1 transitivePeerDependencies: @@ -20712,6 +20657,10 @@ snapshots: optionalDependencies: supports-color: 8.1.1 + debug@4.3.4: + dependencies: + ms: 2.1.2 + debug@4.3.4(supports-color@8.1.1): dependencies: ms: 2.1.2 @@ -22572,7 +22521,7 @@ snapshots: infisical-node@1.3.0: dependencies: - axios: 1.7.3(debug@3.2.7) + axios: 1.7.3(debug@4.3.6) dotenv: 16.3.1 tweetnacl: 1.0.3 tweetnacl-util: 0.15.1 @@ -23687,7 +23636,7 @@ snapshots: '@types/node': 18.16.16 '@types/uuid': 9.0.7 asn1: 0.2.6 - debug: 4.3.4(supports-color@8.1.1) + debug: 4.3.4 strict-event-emitter-types: 2.0.0 uuid: 9.0.1 transitivePeerDependencies: @@ -24311,7 +24260,7 @@ snapshots: dependencies: '@tediousjs/connection-string': 0.5.0 commander: 11.1.0 - debug: 4.3.5(supports-color@8.1.1) + debug: 4.3.6 rfdc: 1.3.0 tarn: 3.0.2 tedious: 16.7.1 @@ -25118,7 +25067,7 @@ snapshots: posthog-node@3.2.1: dependencies: - axios: 1.7.3(debug@3.2.7) + axios: 1.7.3(debug@4.3.6) rusha: 0.8.14 transitivePeerDependencies: - debug @@ -26109,7 +26058,7 @@ snapshots: dependencies: '@kwsites/file-exists': 1.1.1 '@kwsites/promise-deferred': 1.1.1 - debug: 4.3.4(supports-color@8.1.1) + debug: 4.3.4 transitivePeerDependencies: - supports-color