fix(core): Replace sanitize-html with xss in XSS validator constraint (#10479)
Some checks are pending
Test Master / install-and-build (push) Waiting to run
Test Master / Unit tests (18.x) (push) Blocked by required conditions
Test Master / Unit tests (20.x) (push) Blocked by required conditions
Test Master / Unit tests (22.4) (push) Blocked by required conditions
Test Master / Lint (push) Blocked by required conditions
Test Master / Notify Slack on failure (push) Blocked by required conditions

This commit is contained in:
Iván Ovejero 2024-08-20 20:52:04 +02:00 committed by GitHub
parent aad3e5b677
commit 5dea51aad7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 38 additions and 72 deletions

View file

@ -155,7 +155,6 @@
"reflect-metadata": "0.2.2",
"replacestream": "4.0.3",
"samlify": "2.8.9",
"sanitize-html": "2.12.1",
"semver": "7.5.4",
"shelljs": "0.8.5",
"simple-git": "3.17.0",
@ -172,6 +171,7 @@
"ws": "8.17.1",
"xml2js": "catalog:",
"xmllint-wasm": "3.0.1",
"xss": "^1.0.14",
"yamljs": "0.3.0",
"zod": "3.22.4"
}

View file

@ -16,7 +16,8 @@ describe('NoXss', () => {
const entity = new Entity();
describe('Scripts', () => {
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];
for (const str of XSS_STRINGS) {
test(`should block ${str}`, async () => {
@ -69,4 +70,15 @@ describe('NoXss', () => {
});
}
});
describe('Miscellanous strings', () => {
const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
for (const str of VALID_MISCELLANEOUS_STRINGS) {
test(`should allow ${str}`, async () => {
entity.name = str;
await expect(validate(entity)).resolves.toBeEmptyArray();
});
}
});
});

View file

@ -1,11 +1,16 @@
import xss from 'xss';
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
import { registerDecorator, ValidatorConstraint } from 'class-validator';
import sanitizeHtml from 'sanitize-html';
@ValidatorConstraint({ name: 'NoXss', async: false })
class NoXssConstraint implements ValidatorConstraintInterface {
validate(value: string) {
return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
return (
value ===
xss(value, {
whiteList: {}, // no tags are allowed
})
);
}
defaultMessage() {

View file

@ -6,9 +6,6 @@ settings:
catalogs:
default:
'@types/basic-auth':
specifier: ^1.1.3
version: 1.1.3
'@types/express':
specifier: ^4.17.21
version: 4.17.21
@ -21,15 +18,9 @@ catalogs:
'@types/xml2js':
specifier: ^0.4.14
version: 0.4.14
basic-auth:
specifier: 2.0.1
version: 2.0.1
fast-glob:
specifier: 3.2.12
version: 3.2.12
form-data:
specifier: 4.0.0
version: 4.0.0
lodash:
specifier: 4.17.21
version: 4.17.21
@ -48,28 +39,6 @@ catalogs:
xml2js:
specifier: 0.6.2
version: 0.6.2
frontend:
'@vitest/coverage-v8':
specifier: ^1.6.0
version: 1.6.0
vite:
specifier: ^5.2.12
version: 5.2.12
vitest:
specifier: ^1.6.0
version: 1.6.0
vitest-mock-extended:
specifier: ^1.3.1
version: 1.3.1
vue:
specifier: ^3.4.21
version: 3.4.21
vue-markdown-render:
specifier: ^2.2.1
version: 2.2.1
vue-tsc:
specifier: ^2.0.19
version: 2.0.19
overrides:
'@types/node': ^18.16.16
@ -652,7 +621,7 @@ importers:
version: 1.11.0
axios:
specifier: 1.7.3
version: 1.7.3(debug@3.2.7)
version: 1.7.3(debug@4.3.6)
bcryptjs:
specifier: 2.4.3
version: 2.4.3
@ -824,9 +793,6 @@ importers:
samlify:
specifier: 2.8.9
version: 2.8.9
sanitize-html:
specifier: 2.12.1
version: 2.12.1
semver:
specifier: ^7.5.4
version: 7.6.0
@ -875,6 +841,9 @@ importers:
xmllint-wasm:
specifier: 3.0.1
version: 3.0.1
xss:
specifier: ^1.0.14
version: 1.0.14
yamljs:
specifier: 0.3.0
version: 0.3.0
@ -2166,10 +2135,6 @@ packages:
resolution: {integrity: sha512-aK4s3Xxjrx3daZr3VylxejK3vG5ExXck5WOHDJ8in/k9AqlfIyFMMT1uG7u8mNjX+QRILTIn0/Xgschfh/dQ9g==}
engines: {node: '>=12.0.0'}
'@azure/msal-browser@3.10.0':
resolution: {integrity: sha512-mnmi8dCXVNZI+AGRq0jKQ3YiodlIC4W9npr6FCB9WN6NQT+6rq+cIlxgUb//BjLyzKsnYo+i4LROGeMyU+6v1A==}
engines: {node: '>=0.8.0'}
'@azure/msal-browser@3.19.0':
resolution: {integrity: sha512-3unHlh3qWtXbqks/TLq3qGWzxfmwRfk9tXSGvVCcHHnCH5QKtcg/JiDIeP/1B2qFlqnSgtYY0JPLy9EIVoZ7Ag==}
engines: {node: '>=0.8.0'}
@ -2178,18 +2143,10 @@ packages:
resolution: {integrity: sha512-b4M/tqRzJ4jGU91BiwCsLTqChveUEyFK3qY2wGfZ0zBswIBZjAxopx5CYt5wzZFKuN15HqRDYXQbztttuIC3nA==}
engines: {node: '>=0.8.0'}
'@azure/msal-common@14.7.1':
resolution: {integrity: sha512-v96btzjM7KrAu4NSEdOkhQSTGOuNUIIsUdB8wlyB9cdgl5KqEKnTonHUZ8+khvZ6Ap542FCErbnTyDWl8lZ2rA==}
engines: {node: '>=0.8.0'}
'@azure/msal-node@2.11.0':
resolution: {integrity: sha512-yNRCp4Do4CGSBe1WXq4DWhfa/vYZCUgGrweYLC5my/6eDnYMt0fYGPHuTMw0iRslQGXF3CecGAxXp7ab57V4zg==}
engines: {node: '>=16'}
'@azure/msal-node@2.6.4':
resolution: {integrity: sha512-nNvEPx009/80UATCToF+29NZYocn01uKrB91xtFr7bSqkqO1PuQGXRyYwryWRztUrYZ1YsSbw9A+LmwOhpVvcg==}
engines: {node: '>=16'}
'@azure/storage-blob@12.11.0':
resolution: {integrity: sha512-na+FisoARuaOWaHWpmdtk3FeuTWf2VWamdJ9/TJJzj5ZdXPLC3juoDgFs6XVuJIoK30yuBpyFBEDXVRK4pB7Tg==}
engines: {node: '>=12.0.0'}
@ -14300,8 +14257,8 @@ snapshots:
'@azure/core-tracing': 1.0.1
'@azure/core-util': 1.7.0
'@azure/logger': 1.0.3
'@azure/msal-browser': 3.10.0
'@azure/msal-node': 2.6.4
'@azure/msal-browser': 3.19.0
'@azure/msal-node': 2.11.0
events: 3.3.0
jws: 4.0.0
open: 8.4.0
@ -14365,30 +14322,18 @@ snapshots:
dependencies:
tslib: 2.6.2
'@azure/msal-browser@3.10.0':
dependencies:
'@azure/msal-common': 14.7.1
'@azure/msal-browser@3.19.0':
dependencies:
'@azure/msal-common': 14.13.0
'@azure/msal-common@14.13.0': {}
'@azure/msal-common@14.7.1': {}
'@azure/msal-node@2.11.0':
dependencies:
'@azure/msal-common': 14.13.0
jsonwebtoken: 9.0.2
uuid: 8.3.2
'@azure/msal-node@2.6.4':
dependencies:
'@azure/msal-common': 14.7.1
jsonwebtoken: 9.0.2
uuid: 8.3.2
'@azure/storage-blob@12.11.0(encoding@0.1.13)':
dependencies:
'@azure/abort-controller': 1.1.0
@ -17204,7 +17149,7 @@ snapshots:
'@rudderstack/rudder-sdk-node@2.0.7(tslib@2.6.2)':
dependencies:
axios: 1.7.3(debug@3.2.7)
axios: 1.7.3(debug@4.3.6)
axios-retry: 3.7.0
component-type: 1.2.1
join-component: 1.1.0
@ -19400,7 +19345,7 @@ snapshots:
agentkeepalive@4.2.1:
dependencies:
debug: 4.3.4(supports-color@8.1.1)
debug: 4.3.4
depd: 1.1.2
humanize-ms: 1.2.1
transitivePeerDependencies:
@ -20712,6 +20657,10 @@ snapshots:
optionalDependencies:
supports-color: 8.1.1
debug@4.3.4:
dependencies:
ms: 2.1.2
debug@4.3.4(supports-color@8.1.1):
dependencies:
ms: 2.1.2
@ -22572,7 +22521,7 @@ snapshots:
infisical-node@1.3.0:
dependencies:
axios: 1.7.3(debug@3.2.7)
axios: 1.7.3(debug@4.3.6)
dotenv: 16.3.1
tweetnacl: 1.0.3
tweetnacl-util: 0.15.1
@ -23687,7 +23636,7 @@ snapshots:
'@types/node': 18.16.16
'@types/uuid': 9.0.7
asn1: 0.2.6
debug: 4.3.4(supports-color@8.1.1)
debug: 4.3.4
strict-event-emitter-types: 2.0.0
uuid: 9.0.1
transitivePeerDependencies:
@ -24311,7 +24260,7 @@ snapshots:
dependencies:
'@tediousjs/connection-string': 0.5.0
commander: 11.1.0
debug: 4.3.5(supports-color@8.1.1)
debug: 4.3.6
rfdc: 1.3.0
tarn: 3.0.2
tedious: 16.7.1
@ -25118,7 +25067,7 @@ snapshots:
posthog-node@3.2.1:
dependencies:
axios: 1.7.3(debug@3.2.7)
axios: 1.7.3(debug@4.3.6)
rusha: 0.8.14
transitivePeerDependencies:
- debug
@ -26109,7 +26058,7 @@ snapshots:
dependencies:
'@kwsites/file-exists': 1.1.1
'@kwsites/promise-deferred': 1.1.1
debug: 4.3.4(supports-color@8.1.1)
debug: 4.3.4
transitivePeerDependencies:
- supports-color