From 91467ab325e4c71c20c522f3143246d270101626 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= Date: Fri, 16 Aug 2024 10:49:08 +0200 Subject: [PATCH] fix(core): Fix XSS validation and separate URL validation (#10424) --- packages/cli/package.json | 1 + packages/cli/src/GenericHelpers.ts | 2 +- packages/cli/src/databases/entities/User.ts | 5 +- .../utils/__tests__/customValidators.test.ts | 43 ----------- .../src/databases/utils/customValidators.ts | 18 ----- packages/cli/src/requests.ts | 5 +- .../__tests__/no-url.validator.test.ts | 26 +++++++ .../__tests__/no-xss.validator.test.ts | 72 +++++++++++++++++++ .../cli/src/validators/no-url.validator.ts | 27 +++++++ .../cli/src/validators/no-xss.validator.ts | 26 +++++++ pnpm-lock.yaml | 5 +- 11 files changed, 165 insertions(+), 65 deletions(-) delete mode 100644 packages/cli/src/databases/utils/__tests__/customValidators.test.ts delete mode 100644 packages/cli/src/databases/utils/customValidators.ts create mode 100644 packages/cli/src/validators/__tests__/no-url.validator.test.ts create mode 100644 packages/cli/src/validators/__tests__/no-xss.validator.test.ts create mode 100644 packages/cli/src/validators/no-url.validator.ts create mode 100644 packages/cli/src/validators/no-xss.validator.ts diff --git a/packages/cli/package.json b/packages/cli/package.json index 54ca084465..80bf0c4e62 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -155,6 +155,7 @@ "reflect-metadata": "0.2.2", "replacestream": "4.0.3", "samlify": "2.8.9", + "sanitize-html": "2.12.1", "semver": "7.5.4", "shelljs": "0.8.5", "simple-git": "3.17.0", diff --git a/packages/cli/src/GenericHelpers.ts b/packages/cli/src/GenericHelpers.ts index 300f24f9f9..57dcb60207 100644 --- a/packages/cli/src/GenericHelpers.ts +++ b/packages/cli/src/GenericHelpers.ts @@ -9,7 +9,7 @@ import type { UserUpdatePayload, } from '@/requests'; import { BadRequestError } from './errors/response-errors/bad-request.error'; -import { NoXss } from './databases/utils/customValidators'; +import { NoXss } from '@/validators/no-xss.validator'; export async function validateEntity( entity: diff --git a/packages/cli/src/databases/entities/User.ts b/packages/cli/src/databases/entities/User.ts index d24af19742..dad8bbbe80 100644 --- a/packages/cli/src/databases/entities/User.ts +++ b/packages/cli/src/databases/entities/User.ts @@ -13,7 +13,7 @@ import { IsEmail, IsString, Length } from 'class-validator'; import type { IUser, IUserSettings } from 'n8n-workflow'; import type { SharedWorkflow } from './SharedWorkflow'; import type { SharedCredentials } from './SharedCredentials'; -import { NoXss } from '../utils/customValidators'; +import { NoXss } from '@/validators/no-xss.validator'; import { objectRetriever, lowerCaser } from '../utils/transformers'; import { WithTimestamps, jsonColumnType } from './AbstractEntity'; import type { IPersonalizationSurveyAnswers } from '@/Interfaces'; @@ -25,6 +25,7 @@ import { } from '@/permissions/global-roles'; import { hasScope, type ScopeOptions, type Scope } from '@n8n/permissions'; import type { ProjectRelation } from './ProjectRelation'; +import { NoUrl } from '@/validators/no-url.validator'; export type GlobalRole = 'global:owner' | 'global:admin' | 'global:member'; export type AssignableRole = Exclude; @@ -51,12 +52,14 @@ export class User extends WithTimestamps implements IUser { @Column({ length: 32, nullable: true }) @NoXss() + @NoUrl() @IsString({ message: 'First name must be of type string.' }) @Length(1, 32, { message: 'First name must be $constraint1 to $constraint2 characters long.' }) firstName: string; @Column({ length: 32, nullable: true }) @NoXss() + @NoUrl() @IsString({ message: 'Last name must be of type string.' }) @Length(1, 32, { message: 'Last name must be $constraint1 to $constraint2 characters long.' }) lastName: string; diff --git a/packages/cli/src/databases/utils/__tests__/customValidators.test.ts b/packages/cli/src/databases/utils/__tests__/customValidators.test.ts deleted file mode 100644 index df906b36d6..0000000000 --- a/packages/cli/src/databases/utils/__tests__/customValidators.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { NoXss } from '@db/utils/customValidators'; -import { validate } from 'class-validator'; - -describe('customValidators', () => { - describe('NoXss', () => { - class Person { - @NoXss() - name: string; - } - const person = new Person(); - - const invalidNames = ['http://google.com', '"]; + + for (const str of XSS_STRINGS) { + test(`should block ${str}`, async () => { + entity.name = str; + const errors = await validate(entity); + expect(errors).toHaveLength(1); + const [error] = errors; + expect(error.property).toEqual('name'); + expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' }); + }); + } + }); + + describe('Names', () => { + const VALID_NAMES = [ + 'Johann Strauß', + 'Вагиф Сәмәдоғлу', + 'René Magritte', + 'সুকুমার রায়', + 'མགོན་པོ་རྡོ་རྗེ།', + 'عبدالحليم حافظ', + ]; + + for (const name of VALID_NAMES) { + test(`should allow ${name}`, async () => { + entity.name = name; + expect(await validate(entity)).toBeEmptyArray(); + }); + } + }); + + describe('ISO-8601 timestamps', () => { + const VALID_TIMESTAMPS = ['2022-01-01T00:00:00.000Z', '2022-01-01T00:00:00.000+02:00']; + + for (const timestamp of VALID_TIMESTAMPS) { + test(`should allow ${timestamp}`, async () => { + entity.timestamp = timestamp; + await expect(validate(entity)).resolves.toBeEmptyArray(); + }); + } + }); + + describe('Semver versions', () => { + const VALID_VERSIONS = ['1.0.0', '1.0.0-alpha.1']; + + for (const version of VALID_VERSIONS) { + test(`should allow ${version}`, async () => { + entity.version = version; + await expect(validate(entity)).resolves.toBeEmptyArray(); + }); + } + }); +}); diff --git a/packages/cli/src/validators/no-url.validator.ts b/packages/cli/src/validators/no-url.validator.ts new file mode 100644 index 0000000000..1df05fed5f --- /dev/null +++ b/packages/cli/src/validators/no-url.validator.ts @@ -0,0 +1,27 @@ +import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator'; +import { registerDecorator, ValidatorConstraint } from 'class-validator'; + +const URL_REGEX = /^(https?:\/\/|www\.)/i; + +@ValidatorConstraint({ name: 'NoUrl', async: false }) +class NoUrlConstraint implements ValidatorConstraintInterface { + validate(value: string) { + return !URL_REGEX.test(value); + } + + defaultMessage() { + return 'Potentially malicious string'; + } +} + +export function NoUrl(options?: ValidationOptions) { + return function (object: object, propertyName: string) { + registerDecorator({ + name: 'NoUrl', + target: object.constructor, + propertyName, + options, + validator: NoUrlConstraint, + }); + }; +} diff --git a/packages/cli/src/validators/no-xss.validator.ts b/packages/cli/src/validators/no-xss.validator.ts new file mode 100644 index 0000000000..8075309df9 --- /dev/null +++ b/packages/cli/src/validators/no-xss.validator.ts @@ -0,0 +1,26 @@ +import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator'; +import { registerDecorator, ValidatorConstraint } from 'class-validator'; +import sanitizeHtml from 'sanitize-html'; + +@ValidatorConstraint({ name: 'NoXss', async: false }) +class NoXssConstraint implements ValidatorConstraintInterface { + validate(value: string) { + return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} }); + } + + defaultMessage() { + return 'Potentially malicious string'; + } +} + +export function NoXss(options?: ValidationOptions) { + return function (object: object, propertyName: string) { + registerDecorator({ + name: 'NoXss', + target: object.constructor, + propertyName, + options, + validator: NoXssConstraint, + }); + }; +} diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f62ed3f36a..71b974f669 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -824,6 +824,9 @@ importers: samlify: specifier: 2.8.9 version: 2.8.9 + sanitize-html: + specifier: 2.12.1 + version: 2.12.1 semver: specifier: ^7.5.4 version: 7.6.0 @@ -22445,7 +22448,7 @@ snapshots: domelementtype: 2.3.0 domhandler: 5.0.3 domutils: 3.0.1 - entities: 4.4.0 + entities: 4.5.0 http-cache-semantics@4.1.1: optional: true