From cff0d1601f2478bb45501af3d537f885757dc0f5 Mon Sep 17 00:00:00 2001 From: Moriz Wahl Date: Thu, 24 Nov 2022 17:52:12 +0100 Subject: [PATCH 1/3] fix(backend): sanitize group description --- backend/src/middleware/xssMiddleware.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/backend/src/middleware/xssMiddleware.js b/backend/src/middleware/xssMiddleware.js index 9c528b589..9d08aff8e 100644 --- a/backend/src/middleware/xssMiddleware.js +++ b/backend/src/middleware/xssMiddleware.js @@ -1,7 +1,13 @@ import walkRecursive from '../helpers/walkRecursive' import { cleanHtml } from '../middleware/helpers/cleanHtml.js' -const fields = ['content', 'contentExcerpt', 'reasonDescription'] +const fields = [ + 'content', + 'contentExcerpt', + 'reasonDescription', + 'description', + 'descriptionExcerpt', +] export default { Mutation: async (resolve, root, args, context, info) => { From 3e6566bff5affb72d49566bf79c40c2ded6b0e3d Mon Sep 17 00:00:00 2001 From: Moriz Wahl Date: Thu, 24 Nov 2022 18:24:53 +0100 Subject: [PATCH 2/3] do not sanitize description of embed --- backend/src/helpers/walkRecursive.js | 10 ++++++---- backend/src/middleware/xssMiddleware.js | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/backend/src/helpers/walkRecursive.js b/backend/src/helpers/walkRecursive.js index 85900eeba..c65d3aa2c 100644 --- a/backend/src/helpers/walkRecursive.js +++ b/backend/src/helpers/walkRecursive.js @@ -2,24 +2,26 @@ * iterate through all fields and replace it with the callback result * @property data Array * @property fields Array + * @property fieldName String * @property callback Function */ -function walkRecursive(data, fields, callback, _key) { +function walkRecursive(data, fields, fieldName, callback, _key) { if (!Array.isArray(fields)) { throw new Error('please provide an fields array for the walkRecursive helper') } if (data && typeof data === 'string' && fields.includes(_key)) { // well we found what we searched for, lets replace the value with our callback result - data = callback(data, _key) + const key = _key.split('!') + if (key.length === 1 || key[1] !== fieldName) data = callback(data, _key) } else if (data && Array.isArray(data)) { // go into the rabbit hole and dig through that array data.forEach((res, index) => { - data[index] = walkRecursive(data[index], fields, callback, index) + data[index] = walkRecursive(data[index], fields, fieldName, callback, index) }) } else if (data && typeof data === 'object') { // lets get some keys and stir them Object.keys(data).forEach((k) => { - data[k] = walkRecursive(data[k], fields, callback, k) + data[k] = walkRecursive(data[k], fields, fieldName, callback, k) }) } return data diff --git a/backend/src/middleware/xssMiddleware.js b/backend/src/middleware/xssMiddleware.js index 9d08aff8e..9b15e9712 100644 --- a/backend/src/middleware/xssMiddleware.js +++ b/backend/src/middleware/xssMiddleware.js @@ -1,21 +1,22 @@ import walkRecursive from '../helpers/walkRecursive' import { cleanHtml } from '../middleware/helpers/cleanHtml.js' +// exclamation mark separetes field names, that should not be sanitized const fields = [ 'content', 'contentExcerpt', 'reasonDescription', - 'description', + 'description!embed', 'descriptionExcerpt', ] export default { Mutation: async (resolve, root, args, context, info) => { - args = walkRecursive(args, fields, cleanHtml) + args = walkRecursive(args, fields, info.fieldName, cleanHtml) return resolve(root, args, context, info) }, Query: async (resolve, root, args, context, info) => { const result = await resolve(root, args, context, info) - return walkRecursive(result, fields, cleanHtml) + return walkRecursive(result, fields, info.fieldName, cleanHtml) }, } From 266d846012db518679adaa2aaf53eb58fbec2c14 Mon Sep 17 00:00:00 2001 From: Moriz Wahl Date: Thu, 24 Nov 2022 18:28:02 +0100 Subject: [PATCH 3/3] pass correct key to sanitize callback --- backend/src/helpers/walkRecursive.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/helpers/walkRecursive.js b/backend/src/helpers/walkRecursive.js index c65d3aa2c..26a3a01b2 100644 --- a/backend/src/helpers/walkRecursive.js +++ b/backend/src/helpers/walkRecursive.js @@ -12,7 +12,7 @@ function walkRecursive(data, fields, fieldName, callback, _key) { if (data && typeof data === 'string' && fields.includes(_key)) { // well we found what we searched for, lets replace the value with our callback result const key = _key.split('!') - if (key.length === 1 || key[1] !== fieldName) data = callback(data, _key) + if (key.length === 1 || key[1] !== fieldName) data = callback(data, key[0]) } else if (data && Array.isArray(data)) { // go into the rabbit hole and dig through that array data.forEach((res, index) => {