From 49f30e051c9f6e28977d57d0e5f49c1294094e41 Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Fri, 29 Mar 2024 13:39:11 -0700
Subject: [PATCH] security: patch footer icon self-xss from privledged user
---
server/models/systemSettings.js | 7 +++++--
server/utils/http/index.js | 10 ++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/server/models/systemSettings.js b/server/models/systemSettings.js
index e4c0f9499..9809a716e 100644
--- a/server/models/systemSettings.js
+++ b/server/models/systemSettings.js
@@ -2,6 +2,7 @@ process.env.NODE_ENV === "development"
? require("dotenv").config({ path: `.env.${process.env.NODE_ENV}` })
: require("dotenv").config();
+const { isValidUrl } = require("../utils/http");
const prisma = require("../utils/prisma");
const SystemSettings = {
@@ -18,8 +19,10 @@ const SystemSettings = {
validations: {
footer_data: (updates) => {
try {
- const array = JSON.parse(updates);
- return JSON.stringify(array.slice(0, 3)); // max of 3 items in footer.
+ const array = JSON.parse(updates)
+ .filter((setting) => isValidUrl(setting.url))
+ .slice(0, 3); // max of 3 items in footer.
+ return JSON.stringify(array);
} catch (e) {
console.error(`Failed to run validation function on footer_data`);
return JSON.stringify([]);
diff --git a/server/utils/http/index.js b/server/utils/http/index.js
index 084b09c7e..eedc33154 100644
--- a/server/utils/http/index.js
+++ b/server/utils/http/index.js
@@ -68,6 +68,15 @@ function safeJsonParse(jsonString, fallback = null) {
return fallback;
}
+function isValidUrl(urlString = "") {
+ try {
+ const url = new URL(urlString);
+ if (!["http:", "https:"].includes(url.protocol)) return false;
+ return true;
+ } catch (e) {}
+ return false;
+}
+
module.exports = {
reqBody,
multiUserMode,
@@ -77,4 +86,5 @@ module.exports = {
userFromSession,
parseAuthHeader,
safeJsonParse,
+ isValidUrl,
};
--
GitLab