mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-24 20:24:05 -08:00
fix(core): Replace sanitize-html
with xss
in XSS validator constraint (#10479)
Some checks are pending
Test Master / install-and-build (push) Waiting to run
Test Master / Unit tests (18.x) (push) Blocked by required conditions
Test Master / Unit tests (20.x) (push) Blocked by required conditions
Test Master / Unit tests (22.4) (push) Blocked by required conditions
Test Master / Lint (push) Blocked by required conditions
Test Master / Notify Slack on failure (push) Blocked by required conditions
Some checks are pending
Test Master / install-and-build (push) Waiting to run
Test Master / Unit tests (18.x) (push) Blocked by required conditions
Test Master / Unit tests (20.x) (push) Blocked by required conditions
Test Master / Unit tests (22.4) (push) Blocked by required conditions
Test Master / Lint (push) Blocked by required conditions
Test Master / Notify Slack on failure (push) Blocked by required conditions
This commit is contained in:
parent
aad3e5b677
commit
5dea51aad7
|
@ -155,7 +155,6 @@
|
||||||
"reflect-metadata": "0.2.2",
|
"reflect-metadata": "0.2.2",
|
||||||
"replacestream": "4.0.3",
|
"replacestream": "4.0.3",
|
||||||
"samlify": "2.8.9",
|
"samlify": "2.8.9",
|
||||||
"sanitize-html": "2.12.1",
|
|
||||||
"semver": "7.5.4",
|
"semver": "7.5.4",
|
||||||
"shelljs": "0.8.5",
|
"shelljs": "0.8.5",
|
||||||
"simple-git": "3.17.0",
|
"simple-git": "3.17.0",
|
||||||
|
@ -172,6 +171,7 @@
|
||||||
"ws": "8.17.1",
|
"ws": "8.17.1",
|
||||||
"xml2js": "catalog:",
|
"xml2js": "catalog:",
|
||||||
"xmllint-wasm": "3.0.1",
|
"xmllint-wasm": "3.0.1",
|
||||||
|
"xss": "^1.0.14",
|
||||||
"yamljs": "0.3.0",
|
"yamljs": "0.3.0",
|
||||||
"zod": "3.22.4"
|
"zod": "3.22.4"
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,7 +16,8 @@ describe('NoXss', () => {
|
||||||
const entity = new Entity();
|
const entity = new Entity();
|
||||||
|
|
||||||
describe('Scripts', () => {
|
describe('Scripts', () => {
|
||||||
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
|
// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
|
||||||
|
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];
|
||||||
|
|
||||||
for (const str of XSS_STRINGS) {
|
for (const str of XSS_STRINGS) {
|
||||||
test(`should block ${str}`, async () => {
|
test(`should block ${str}`, async () => {
|
||||||
|
@ -69,4 +70,15 @@ describe('NoXss', () => {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe('Miscellanous strings', () => {
|
||||||
|
const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
|
||||||
|
|
||||||
|
for (const str of VALID_MISCELLANEOUS_STRINGS) {
|
||||||
|
test(`should allow ${str}`, async () => {
|
||||||
|
entity.name = str;
|
||||||
|
await expect(validate(entity)).resolves.toBeEmptyArray();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
|
import xss from 'xss';
|
||||||
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
|
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
|
||||||
import { registerDecorator, ValidatorConstraint } from 'class-validator';
|
import { registerDecorator, ValidatorConstraint } from 'class-validator';
|
||||||
import sanitizeHtml from 'sanitize-html';
|
|
||||||
|
|
||||||
@ValidatorConstraint({ name: 'NoXss', async: false })
|
@ValidatorConstraint({ name: 'NoXss', async: false })
|
||||||
class NoXssConstraint implements ValidatorConstraintInterface {
|
class NoXssConstraint implements ValidatorConstraintInterface {
|
||||||
validate(value: string) {
|
validate(value: string) {
|
||||||
return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
|
return (
|
||||||
|
value ===
|
||||||
|
xss(value, {
|
||||||
|
whiteList: {}, // no tags are allowed
|
||||||
|
})
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
defaultMessage() {
|
defaultMessage() {
|
||||||
|
|
|
@ -6,9 +6,6 @@ settings:
|
||||||
|
|
||||||
catalogs:
|
catalogs:
|
||||||
default:
|
default:
|
||||||
'@types/basic-auth':
|
|
||||||
specifier: ^1.1.3
|
|
||||||
version: 1.1.3
|
|
||||||
'@types/express':
|
'@types/express':
|
||||||
specifier: ^4.17.21
|
specifier: ^4.17.21
|
||||||
version: 4.17.21
|
version: 4.17.21
|
||||||
|
@ -21,15 +18,9 @@ catalogs:
|
||||||
'@types/xml2js':
|
'@types/xml2js':
|
||||||
specifier: ^0.4.14
|
specifier: ^0.4.14
|
||||||
version: 0.4.14
|
version: 0.4.14
|
||||||
basic-auth:
|
|
||||||
specifier: 2.0.1
|
|
||||||
version: 2.0.1
|
|
||||||
fast-glob:
|
fast-glob:
|
||||||
specifier: 3.2.12
|
specifier: 3.2.12
|
||||||
version: 3.2.12
|
version: 3.2.12
|
||||||
form-data:
|
|
||||||
specifier: 4.0.0
|
|
||||||
version: 4.0.0
|
|
||||||
lodash:
|
lodash:
|
||||||
specifier: 4.17.21
|
specifier: 4.17.21
|
||||||
version: 4.17.21
|
version: 4.17.21
|
||||||
|
@ -48,28 +39,6 @@ catalogs:
|
||||||
xml2js:
|
xml2js:
|
||||||
specifier: 0.6.2
|
specifier: 0.6.2
|
||||||
version: 0.6.2
|
version: 0.6.2
|
||||||
frontend:
|
|
||||||
'@vitest/coverage-v8':
|
|
||||||
specifier: ^1.6.0
|
|
||||||
version: 1.6.0
|
|
||||||
vite:
|
|
||||||
specifier: ^5.2.12
|
|
||||||
version: 5.2.12
|
|
||||||
vitest:
|
|
||||||
specifier: ^1.6.0
|
|
||||||
version: 1.6.0
|
|
||||||
vitest-mock-extended:
|
|
||||||
specifier: ^1.3.1
|
|
||||||
version: 1.3.1
|
|
||||||
vue:
|
|
||||||
specifier: ^3.4.21
|
|
||||||
version: 3.4.21
|
|
||||||
vue-markdown-render:
|
|
||||||
specifier: ^2.2.1
|
|
||||||
version: 2.2.1
|
|
||||||
vue-tsc:
|
|
||||||
specifier: ^2.0.19
|
|
||||||
version: 2.0.19
|
|
||||||
|
|
||||||
overrides:
|
overrides:
|
||||||
'@types/node': ^18.16.16
|
'@types/node': ^18.16.16
|
||||||
|
@ -652,7 +621,7 @@ importers:
|
||||||
version: 1.11.0
|
version: 1.11.0
|
||||||
axios:
|
axios:
|
||||||
specifier: 1.7.3
|
specifier: 1.7.3
|
||||||
version: 1.7.3(debug@3.2.7)
|
version: 1.7.3(debug@4.3.6)
|
||||||
bcryptjs:
|
bcryptjs:
|
||||||
specifier: 2.4.3
|
specifier: 2.4.3
|
||||||
version: 2.4.3
|
version: 2.4.3
|
||||||
|
@ -824,9 +793,6 @@ importers:
|
||||||
samlify:
|
samlify:
|
||||||
specifier: 2.8.9
|
specifier: 2.8.9
|
||||||
version: 2.8.9
|
version: 2.8.9
|
||||||
sanitize-html:
|
|
||||||
specifier: 2.12.1
|
|
||||||
version: 2.12.1
|
|
||||||
semver:
|
semver:
|
||||||
specifier: ^7.5.4
|
specifier: ^7.5.4
|
||||||
version: 7.6.0
|
version: 7.6.0
|
||||||
|
@ -875,6 +841,9 @@ importers:
|
||||||
xmllint-wasm:
|
xmllint-wasm:
|
||||||
specifier: 3.0.1
|
specifier: 3.0.1
|
||||||
version: 3.0.1
|
version: 3.0.1
|
||||||
|
xss:
|
||||||
|
specifier: ^1.0.14
|
||||||
|
version: 1.0.14
|
||||||
yamljs:
|
yamljs:
|
||||||
specifier: 0.3.0
|
specifier: 0.3.0
|
||||||
version: 0.3.0
|
version: 0.3.0
|
||||||
|
@ -2166,10 +2135,6 @@ packages:
|
||||||
resolution: {integrity: sha512-aK4s3Xxjrx3daZr3VylxejK3vG5ExXck5WOHDJ8in/k9AqlfIyFMMT1uG7u8mNjX+QRILTIn0/Xgschfh/dQ9g==}
|
resolution: {integrity: sha512-aK4s3Xxjrx3daZr3VylxejK3vG5ExXck5WOHDJ8in/k9AqlfIyFMMT1uG7u8mNjX+QRILTIn0/Xgschfh/dQ9g==}
|
||||||
engines: {node: '>=12.0.0'}
|
engines: {node: '>=12.0.0'}
|
||||||
|
|
||||||
'@azure/msal-browser@3.10.0':
|
|
||||||
resolution: {integrity: sha512-mnmi8dCXVNZI+AGRq0jKQ3YiodlIC4W9npr6FCB9WN6NQT+6rq+cIlxgUb//BjLyzKsnYo+i4LROGeMyU+6v1A==}
|
|
||||||
engines: {node: '>=0.8.0'}
|
|
||||||
|
|
||||||
'@azure/msal-browser@3.19.0':
|
'@azure/msal-browser@3.19.0':
|
||||||
resolution: {integrity: sha512-3unHlh3qWtXbqks/TLq3qGWzxfmwRfk9tXSGvVCcHHnCH5QKtcg/JiDIeP/1B2qFlqnSgtYY0JPLy9EIVoZ7Ag==}
|
resolution: {integrity: sha512-3unHlh3qWtXbqks/TLq3qGWzxfmwRfk9tXSGvVCcHHnCH5QKtcg/JiDIeP/1B2qFlqnSgtYY0JPLy9EIVoZ7Ag==}
|
||||||
engines: {node: '>=0.8.0'}
|
engines: {node: '>=0.8.0'}
|
||||||
|
@ -2178,18 +2143,10 @@ packages:
|
||||||
resolution: {integrity: sha512-b4M/tqRzJ4jGU91BiwCsLTqChveUEyFK3qY2wGfZ0zBswIBZjAxopx5CYt5wzZFKuN15HqRDYXQbztttuIC3nA==}
|
resolution: {integrity: sha512-b4M/tqRzJ4jGU91BiwCsLTqChveUEyFK3qY2wGfZ0zBswIBZjAxopx5CYt5wzZFKuN15HqRDYXQbztttuIC3nA==}
|
||||||
engines: {node: '>=0.8.0'}
|
engines: {node: '>=0.8.0'}
|
||||||
|
|
||||||
'@azure/msal-common@14.7.1':
|
|
||||||
resolution: {integrity: sha512-v96btzjM7KrAu4NSEdOkhQSTGOuNUIIsUdB8wlyB9cdgl5KqEKnTonHUZ8+khvZ6Ap542FCErbnTyDWl8lZ2rA==}
|
|
||||||
engines: {node: '>=0.8.0'}
|
|
||||||
|
|
||||||
'@azure/msal-node@2.11.0':
|
'@azure/msal-node@2.11.0':
|
||||||
resolution: {integrity: sha512-yNRCp4Do4CGSBe1WXq4DWhfa/vYZCUgGrweYLC5my/6eDnYMt0fYGPHuTMw0iRslQGXF3CecGAxXp7ab57V4zg==}
|
resolution: {integrity: sha512-yNRCp4Do4CGSBe1WXq4DWhfa/vYZCUgGrweYLC5my/6eDnYMt0fYGPHuTMw0iRslQGXF3CecGAxXp7ab57V4zg==}
|
||||||
engines: {node: '>=16'}
|
engines: {node: '>=16'}
|
||||||
|
|
||||||
'@azure/msal-node@2.6.4':
|
|
||||||
resolution: {integrity: sha512-nNvEPx009/80UATCToF+29NZYocn01uKrB91xtFr7bSqkqO1PuQGXRyYwryWRztUrYZ1YsSbw9A+LmwOhpVvcg==}
|
|
||||||
engines: {node: '>=16'}
|
|
||||||
|
|
||||||
'@azure/storage-blob@12.11.0':
|
'@azure/storage-blob@12.11.0':
|
||||||
resolution: {integrity: sha512-na+FisoARuaOWaHWpmdtk3FeuTWf2VWamdJ9/TJJzj5ZdXPLC3juoDgFs6XVuJIoK30yuBpyFBEDXVRK4pB7Tg==}
|
resolution: {integrity: sha512-na+FisoARuaOWaHWpmdtk3FeuTWf2VWamdJ9/TJJzj5ZdXPLC3juoDgFs6XVuJIoK30yuBpyFBEDXVRK4pB7Tg==}
|
||||||
engines: {node: '>=12.0.0'}
|
engines: {node: '>=12.0.0'}
|
||||||
|
@ -14300,8 +14257,8 @@ snapshots:
|
||||||
'@azure/core-tracing': 1.0.1
|
'@azure/core-tracing': 1.0.1
|
||||||
'@azure/core-util': 1.7.0
|
'@azure/core-util': 1.7.0
|
||||||
'@azure/logger': 1.0.3
|
'@azure/logger': 1.0.3
|
||||||
'@azure/msal-browser': 3.10.0
|
'@azure/msal-browser': 3.19.0
|
||||||
'@azure/msal-node': 2.6.4
|
'@azure/msal-node': 2.11.0
|
||||||
events: 3.3.0
|
events: 3.3.0
|
||||||
jws: 4.0.0
|
jws: 4.0.0
|
||||||
open: 8.4.0
|
open: 8.4.0
|
||||||
|
@ -14365,30 +14322,18 @@ snapshots:
|
||||||
dependencies:
|
dependencies:
|
||||||
tslib: 2.6.2
|
tslib: 2.6.2
|
||||||
|
|
||||||
'@azure/msal-browser@3.10.0':
|
|
||||||
dependencies:
|
|
||||||
'@azure/msal-common': 14.7.1
|
|
||||||
|
|
||||||
'@azure/msal-browser@3.19.0':
|
'@azure/msal-browser@3.19.0':
|
||||||
dependencies:
|
dependencies:
|
||||||
'@azure/msal-common': 14.13.0
|
'@azure/msal-common': 14.13.0
|
||||||
|
|
||||||
'@azure/msal-common@14.13.0': {}
|
'@azure/msal-common@14.13.0': {}
|
||||||
|
|
||||||
'@azure/msal-common@14.7.1': {}
|
|
||||||
|
|
||||||
'@azure/msal-node@2.11.0':
|
'@azure/msal-node@2.11.0':
|
||||||
dependencies:
|
dependencies:
|
||||||
'@azure/msal-common': 14.13.0
|
'@azure/msal-common': 14.13.0
|
||||||
jsonwebtoken: 9.0.2
|
jsonwebtoken: 9.0.2
|
||||||
uuid: 8.3.2
|
uuid: 8.3.2
|
||||||
|
|
||||||
'@azure/msal-node@2.6.4':
|
|
||||||
dependencies:
|
|
||||||
'@azure/msal-common': 14.7.1
|
|
||||||
jsonwebtoken: 9.0.2
|
|
||||||
uuid: 8.3.2
|
|
||||||
|
|
||||||
'@azure/storage-blob@12.11.0(encoding@0.1.13)':
|
'@azure/storage-blob@12.11.0(encoding@0.1.13)':
|
||||||
dependencies:
|
dependencies:
|
||||||
'@azure/abort-controller': 1.1.0
|
'@azure/abort-controller': 1.1.0
|
||||||
|
@ -17204,7 +17149,7 @@ snapshots:
|
||||||
|
|
||||||
'@rudderstack/rudder-sdk-node@2.0.7(tslib@2.6.2)':
|
'@rudderstack/rudder-sdk-node@2.0.7(tslib@2.6.2)':
|
||||||
dependencies:
|
dependencies:
|
||||||
axios: 1.7.3(debug@3.2.7)
|
axios: 1.7.3(debug@4.3.6)
|
||||||
axios-retry: 3.7.0
|
axios-retry: 3.7.0
|
||||||
component-type: 1.2.1
|
component-type: 1.2.1
|
||||||
join-component: 1.1.0
|
join-component: 1.1.0
|
||||||
|
@ -19400,7 +19345,7 @@ snapshots:
|
||||||
|
|
||||||
agentkeepalive@4.2.1:
|
agentkeepalive@4.2.1:
|
||||||
dependencies:
|
dependencies:
|
||||||
debug: 4.3.4(supports-color@8.1.1)
|
debug: 4.3.4
|
||||||
depd: 1.1.2
|
depd: 1.1.2
|
||||||
humanize-ms: 1.2.1
|
humanize-ms: 1.2.1
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
|
@ -20712,6 +20657,10 @@ snapshots:
|
||||||
optionalDependencies:
|
optionalDependencies:
|
||||||
supports-color: 8.1.1
|
supports-color: 8.1.1
|
||||||
|
|
||||||
|
debug@4.3.4:
|
||||||
|
dependencies:
|
||||||
|
ms: 2.1.2
|
||||||
|
|
||||||
debug@4.3.4(supports-color@8.1.1):
|
debug@4.3.4(supports-color@8.1.1):
|
||||||
dependencies:
|
dependencies:
|
||||||
ms: 2.1.2
|
ms: 2.1.2
|
||||||
|
@ -22572,7 +22521,7 @@ snapshots:
|
||||||
|
|
||||||
infisical-node@1.3.0:
|
infisical-node@1.3.0:
|
||||||
dependencies:
|
dependencies:
|
||||||
axios: 1.7.3(debug@3.2.7)
|
axios: 1.7.3(debug@4.3.6)
|
||||||
dotenv: 16.3.1
|
dotenv: 16.3.1
|
||||||
tweetnacl: 1.0.3
|
tweetnacl: 1.0.3
|
||||||
tweetnacl-util: 0.15.1
|
tweetnacl-util: 0.15.1
|
||||||
|
@ -23687,7 +23636,7 @@ snapshots:
|
||||||
'@types/node': 18.16.16
|
'@types/node': 18.16.16
|
||||||
'@types/uuid': 9.0.7
|
'@types/uuid': 9.0.7
|
||||||
asn1: 0.2.6
|
asn1: 0.2.6
|
||||||
debug: 4.3.4(supports-color@8.1.1)
|
debug: 4.3.4
|
||||||
strict-event-emitter-types: 2.0.0
|
strict-event-emitter-types: 2.0.0
|
||||||
uuid: 9.0.1
|
uuid: 9.0.1
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
|
@ -24311,7 +24260,7 @@ snapshots:
|
||||||
dependencies:
|
dependencies:
|
||||||
'@tediousjs/connection-string': 0.5.0
|
'@tediousjs/connection-string': 0.5.0
|
||||||
commander: 11.1.0
|
commander: 11.1.0
|
||||||
debug: 4.3.5(supports-color@8.1.1)
|
debug: 4.3.6
|
||||||
rfdc: 1.3.0
|
rfdc: 1.3.0
|
||||||
tarn: 3.0.2
|
tarn: 3.0.2
|
||||||
tedious: 16.7.1
|
tedious: 16.7.1
|
||||||
|
@ -25118,7 +25067,7 @@ snapshots:
|
||||||
|
|
||||||
posthog-node@3.2.1:
|
posthog-node@3.2.1:
|
||||||
dependencies:
|
dependencies:
|
||||||
axios: 1.7.3(debug@3.2.7)
|
axios: 1.7.3(debug@4.3.6)
|
||||||
rusha: 0.8.14
|
rusha: 0.8.14
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- debug
|
- debug
|
||||||
|
@ -26109,7 +26058,7 @@ snapshots:
|
||||||
dependencies:
|
dependencies:
|
||||||
'@kwsites/file-exists': 1.1.1
|
'@kwsites/file-exists': 1.1.1
|
||||||
'@kwsites/promise-deferred': 1.1.1
|
'@kwsites/promise-deferred': 1.1.1
|
||||||
debug: 4.3.4(supports-color@8.1.1)
|
debug: 4.3.4
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- supports-color
|
- supports-color
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue