mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-24 04:04:06 -08:00
fix(core): Replace sanitize-html
with xss
in XSS validator constraint (#10479)
Some checks are pending
Test Master / install-and-build (push) Waiting to run
Test Master / Unit tests (18.x) (push) Blocked by required conditions
Test Master / Unit tests (20.x) (push) Blocked by required conditions
Test Master / Unit tests (22.4) (push) Blocked by required conditions
Test Master / Lint (push) Blocked by required conditions
Test Master / Notify Slack on failure (push) Blocked by required conditions
Some checks are pending
Test Master / install-and-build (push) Waiting to run
Test Master / Unit tests (18.x) (push) Blocked by required conditions
Test Master / Unit tests (20.x) (push) Blocked by required conditions
Test Master / Unit tests (22.4) (push) Blocked by required conditions
Test Master / Lint (push) Blocked by required conditions
Test Master / Notify Slack on failure (push) Blocked by required conditions
This commit is contained in:
parent
aad3e5b677
commit
5dea51aad7
|
@ -155,7 +155,6 @@
|
|||
"reflect-metadata": "0.2.2",
|
||||
"replacestream": "4.0.3",
|
||||
"samlify": "2.8.9",
|
||||
"sanitize-html": "2.12.1",
|
||||
"semver": "7.5.4",
|
||||
"shelljs": "0.8.5",
|
||||
"simple-git": "3.17.0",
|
||||
|
@ -172,6 +171,7 @@
|
|||
"ws": "8.17.1",
|
||||
"xml2js": "catalog:",
|
||||
"xmllint-wasm": "3.0.1",
|
||||
"xss": "^1.0.14",
|
||||
"yamljs": "0.3.0",
|
||||
"zod": "3.22.4"
|
||||
}
|
||||
|
|
|
@ -16,7 +16,8 @@ describe('NoXss', () => {
|
|||
const entity = new Entity();
|
||||
|
||||
describe('Scripts', () => {
|
||||
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
|
||||
// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
|
||||
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];
|
||||
|
||||
for (const str of XSS_STRINGS) {
|
||||
test(`should block ${str}`, async () => {
|
||||
|
@ -69,4 +70,15 @@ describe('NoXss', () => {
|
|||
});
|
||||
}
|
||||
});
|
||||
|
||||
describe('Miscellanous strings', () => {
|
||||
const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
|
||||
|
||||
for (const str of VALID_MISCELLANEOUS_STRINGS) {
|
||||
test(`should allow ${str}`, async () => {
|
||||
entity.name = str;
|
||||
await expect(validate(entity)).resolves.toBeEmptyArray();
|
||||
});
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
import xss from 'xss';
|
||||
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
|
||||
import { registerDecorator, ValidatorConstraint } from 'class-validator';
|
||||
import sanitizeHtml from 'sanitize-html';
|
||||
|
||||
@ValidatorConstraint({ name: 'NoXss', async: false })
|
||||
class NoXssConstraint implements ValidatorConstraintInterface {
|
||||
validate(value: string) {
|
||||
return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
|
||||
return (
|
||||
value ===
|
||||
xss(value, {
|
||||
whiteList: {}, // no tags are allowed
|
||||
})
|
||||
);
|
||||
}
|
||||
|
||||
defaultMessage() {
|
||||
|
|
|
@ -6,9 +6,6 @@ settings:
|
|||
|
||||
catalogs:
|
||||
default:
|
||||
'@types/basic-auth':
|
||||
specifier: ^1.1.3
|
||||
version: 1.1.3
|
||||
'@types/express':
|
||||
specifier: ^4.17.21
|
||||
version: 4.17.21
|
||||
|
@ -21,15 +18,9 @@ catalogs:
|
|||
'@types/xml2js':
|
||||
specifier: ^0.4.14
|
||||
version: 0.4.14
|
||||
basic-auth:
|
||||
specifier: 2.0.1
|
||||
version: 2.0.1
|
||||
fast-glob:
|
||||
specifier: 3.2.12
|
||||
version: 3.2.12
|
||||
form-data:
|
||||
specifier: 4.0.0
|
||||
version: 4.0.0
|
||||
lodash:
|
||||
specifier: 4.17.21
|
||||
version: 4.17.21
|
||||
|
@ -48,28 +39,6 @@ catalogs:
|
|||
xml2js:
|
||||
specifier: 0.6.2
|
||||
version: 0.6.2
|
||||
frontend:
|
||||
'@vitest/coverage-v8':
|
||||
specifier: ^1.6.0
|
||||
version: 1.6.0
|
||||
vite:
|
||||
specifier: ^5.2.12
|
||||
version: 5.2.12
|
||||
vitest:
|
||||
specifier: ^1.6.0
|
||||
version: 1.6.0
|
||||
vitest-mock-extended:
|
||||
specifier: ^1.3.1
|
||||
version: 1.3.1
|
||||
vue:
|
||||
specifier: ^3.4.21
|
||||
version: 3.4.21
|
||||
vue-markdown-render:
|
||||
specifier: ^2.2.1
|
||||
version: 2.2.1
|
||||
vue-tsc:
|
||||
specifier: ^2.0.19
|
||||
version: 2.0.19
|
||||
|
||||
overrides:
|
||||
'@types/node': ^18.16.16
|
||||
|
@ -652,7 +621,7 @@ importers:
|
|||
version: 1.11.0
|
||||
axios:
|
||||
specifier: 1.7.3
|
||||
version: 1.7.3(debug@3.2.7)
|
||||
version: 1.7.3(debug@4.3.6)
|
||||
bcryptjs:
|
||||
specifier: 2.4.3
|
||||
version: 2.4.3
|
||||
|
@ -824,9 +793,6 @@ importers:
|
|||
samlify:
|
||||
specifier: 2.8.9
|
||||
version: 2.8.9
|
||||
sanitize-html:
|
||||
specifier: 2.12.1
|
||||
version: 2.12.1
|
||||
semver:
|
||||
specifier: ^7.5.4
|
||||
version: 7.6.0
|
||||
|
@ -875,6 +841,9 @@ importers:
|
|||
xmllint-wasm:
|
||||
specifier: 3.0.1
|
||||
version: 3.0.1
|
||||
xss:
|
||||
specifier: ^1.0.14
|
||||
version: 1.0.14
|
||||
yamljs:
|
||||
specifier: 0.3.0
|
||||
version: 0.3.0
|
||||
|
@ -2166,10 +2135,6 @@ packages:
|
|||
resolution: {integrity: sha512-aK4s3Xxjrx3daZr3VylxejK3vG5ExXck5WOHDJ8in/k9AqlfIyFMMT1uG7u8mNjX+QRILTIn0/Xgschfh/dQ9g==}
|
||||
engines: {node: '>=12.0.0'}
|
||||
|
||||
'@azure/msal-browser@3.10.0':
|
||||
resolution: {integrity: sha512-mnmi8dCXVNZI+AGRq0jKQ3YiodlIC4W9npr6FCB9WN6NQT+6rq+cIlxgUb//BjLyzKsnYo+i4LROGeMyU+6v1A==}
|
||||
engines: {node: '>=0.8.0'}
|
||||
|
||||
'@azure/msal-browser@3.19.0':
|
||||
resolution: {integrity: sha512-3unHlh3qWtXbqks/TLq3qGWzxfmwRfk9tXSGvVCcHHnCH5QKtcg/JiDIeP/1B2qFlqnSgtYY0JPLy9EIVoZ7Ag==}
|
||||
engines: {node: '>=0.8.0'}
|
||||
|
@ -2178,18 +2143,10 @@ packages:
|
|||
resolution: {integrity: sha512-b4M/tqRzJ4jGU91BiwCsLTqChveUEyFK3qY2wGfZ0zBswIBZjAxopx5CYt5wzZFKuN15HqRDYXQbztttuIC3nA==}
|
||||
engines: {node: '>=0.8.0'}
|
||||
|
||||
'@azure/msal-common@14.7.1':
|
||||
resolution: {integrity: sha512-v96btzjM7KrAu4NSEdOkhQSTGOuNUIIsUdB8wlyB9cdgl5KqEKnTonHUZ8+khvZ6Ap542FCErbnTyDWl8lZ2rA==}
|
||||
engines: {node: '>=0.8.0'}
|
||||
|
||||
'@azure/msal-node@2.11.0':
|
||||
resolution: {integrity: sha512-yNRCp4Do4CGSBe1WXq4DWhfa/vYZCUgGrweYLC5my/6eDnYMt0fYGPHuTMw0iRslQGXF3CecGAxXp7ab57V4zg==}
|
||||
engines: {node: '>=16'}
|
||||
|
||||
'@azure/msal-node@2.6.4':
|
||||
resolution: {integrity: sha512-nNvEPx009/80UATCToF+29NZYocn01uKrB91xtFr7bSqkqO1PuQGXRyYwryWRztUrYZ1YsSbw9A+LmwOhpVvcg==}
|
||||
engines: {node: '>=16'}
|
||||
|
||||
'@azure/storage-blob@12.11.0':
|
||||
resolution: {integrity: sha512-na+FisoARuaOWaHWpmdtk3FeuTWf2VWamdJ9/TJJzj5ZdXPLC3juoDgFs6XVuJIoK30yuBpyFBEDXVRK4pB7Tg==}
|
||||
engines: {node: '>=12.0.0'}
|
||||
|
@ -14300,8 +14257,8 @@ snapshots:
|
|||
'@azure/core-tracing': 1.0.1
|
||||
'@azure/core-util': 1.7.0
|
||||
'@azure/logger': 1.0.3
|
||||
'@azure/msal-browser': 3.10.0
|
||||
'@azure/msal-node': 2.6.4
|
||||
'@azure/msal-browser': 3.19.0
|
||||
'@azure/msal-node': 2.11.0
|
||||
events: 3.3.0
|
||||
jws: 4.0.0
|
||||
open: 8.4.0
|
||||
|
@ -14365,30 +14322,18 @@ snapshots:
|
|||
dependencies:
|
||||
tslib: 2.6.2
|
||||
|
||||
'@azure/msal-browser@3.10.0':
|
||||
dependencies:
|
||||
'@azure/msal-common': 14.7.1
|
||||
|
||||
'@azure/msal-browser@3.19.0':
|
||||
dependencies:
|
||||
'@azure/msal-common': 14.13.0
|
||||
|
||||
'@azure/msal-common@14.13.0': {}
|
||||
|
||||
'@azure/msal-common@14.7.1': {}
|
||||
|
||||
'@azure/msal-node@2.11.0':
|
||||
dependencies:
|
||||
'@azure/msal-common': 14.13.0
|
||||
jsonwebtoken: 9.0.2
|
||||
uuid: 8.3.2
|
||||
|
||||
'@azure/msal-node@2.6.4':
|
||||
dependencies:
|
||||
'@azure/msal-common': 14.7.1
|
||||
jsonwebtoken: 9.0.2
|
||||
uuid: 8.3.2
|
||||
|
||||
'@azure/storage-blob@12.11.0(encoding@0.1.13)':
|
||||
dependencies:
|
||||
'@azure/abort-controller': 1.1.0
|
||||
|
@ -17204,7 +17149,7 @@ snapshots:
|
|||
|
||||
'@rudderstack/rudder-sdk-node@2.0.7(tslib@2.6.2)':
|
||||
dependencies:
|
||||
axios: 1.7.3(debug@3.2.7)
|
||||
axios: 1.7.3(debug@4.3.6)
|
||||
axios-retry: 3.7.0
|
||||
component-type: 1.2.1
|
||||
join-component: 1.1.0
|
||||
|
@ -19400,7 +19345,7 @@ snapshots:
|
|||
|
||||
agentkeepalive@4.2.1:
|
||||
dependencies:
|
||||
debug: 4.3.4(supports-color@8.1.1)
|
||||
debug: 4.3.4
|
||||
depd: 1.1.2
|
||||
humanize-ms: 1.2.1
|
||||
transitivePeerDependencies:
|
||||
|
@ -20712,6 +20657,10 @@ snapshots:
|
|||
optionalDependencies:
|
||||
supports-color: 8.1.1
|
||||
|
||||
debug@4.3.4:
|
||||
dependencies:
|
||||
ms: 2.1.2
|
||||
|
||||
debug@4.3.4(supports-color@8.1.1):
|
||||
dependencies:
|
||||
ms: 2.1.2
|
||||
|
@ -22572,7 +22521,7 @@ snapshots:
|
|||
|
||||
infisical-node@1.3.0:
|
||||
dependencies:
|
||||
axios: 1.7.3(debug@3.2.7)
|
||||
axios: 1.7.3(debug@4.3.6)
|
||||
dotenv: 16.3.1
|
||||
tweetnacl: 1.0.3
|
||||
tweetnacl-util: 0.15.1
|
||||
|
@ -23687,7 +23636,7 @@ snapshots:
|
|||
'@types/node': 18.16.16
|
||||
'@types/uuid': 9.0.7
|
||||
asn1: 0.2.6
|
||||
debug: 4.3.4(supports-color@8.1.1)
|
||||
debug: 4.3.4
|
||||
strict-event-emitter-types: 2.0.0
|
||||
uuid: 9.0.1
|
||||
transitivePeerDependencies:
|
||||
|
@ -24311,7 +24260,7 @@ snapshots:
|
|||
dependencies:
|
||||
'@tediousjs/connection-string': 0.5.0
|
||||
commander: 11.1.0
|
||||
debug: 4.3.5(supports-color@8.1.1)
|
||||
debug: 4.3.6
|
||||
rfdc: 1.3.0
|
||||
tarn: 3.0.2
|
||||
tedious: 16.7.1
|
||||
|
@ -25118,7 +25067,7 @@ snapshots:
|
|||
|
||||
posthog-node@3.2.1:
|
||||
dependencies:
|
||||
axios: 1.7.3(debug@3.2.7)
|
||||
axios: 1.7.3(debug@4.3.6)
|
||||
rusha: 0.8.14
|
||||
transitivePeerDependencies:
|
||||
- debug
|
||||
|
@ -26109,7 +26058,7 @@ snapshots:
|
|||
dependencies:
|
||||
'@kwsites/file-exists': 1.1.1
|
||||
'@kwsites/promise-deferred': 1.1.1
|
||||
debug: 4.3.4(supports-color@8.1.1)
|
||||
debug: 4.3.4
|
||||
transitivePeerDependencies:
|
||||
- supports-color
|
||||
|
||||
|
|
Loading…
Reference in a new issue