diff --git a/charts/budibase/templates/app-service-deployment.yaml b/charts/budibase/templates/app-service-deployment.yaml index 2b099d01f59..4d0560312fc 100644 --- a/charts/budibase/templates/app-service-deployment.yaml +++ b/charts/budibase/templates/app-service-deployment.yaml @@ -184,6 +184,10 @@ spec: - name: NODE_DEBUG value: {{ .Values.services.apps.nodeDebug | quote }} {{ end }} + {{ if .Values.services.apps.xssSafeMode }} + - name: XSS_SAFE_MODE + value: {{ .Values.services.apps.xssSafeMode | quote }} + {{ end }} {{ if .Values.globals.datadogApmEnabled }} - name: DD_LOGS_INJECTION value: {{ .Values.globals.datadogApmEnabled | quote }} diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts index 585eb6a7f2d..45d675ec3f2 100644 --- a/packages/server/src/environment.ts +++ b/packages/server/src/environment.ts @@ -83,6 +83,7 @@ const environment = { PLUGINS_DIR: process.env.PLUGINS_DIR || DEFAULTS.PLUGINS_DIR, MAX_IMPORT_SIZE_MB: process.env.MAX_IMPORT_SIZE_MB, SESSION_EXPIRY_SECONDS: process.env.SESSION_EXPIRY_SECONDS, + XSS_SAFE_MODE: process.env.XSS_SAFE_MODE, // SQL SQL_MAX_ROWS: process.env.SQL_MAX_ROWS, SQL_LOGGING_ENABLE: process.env.SQL_LOGGING_ENABLE, diff --git a/packages/server/src/sdk/app/rows/tests/utils.spec.ts b/packages/server/src/sdk/app/rows/tests/utils.spec.ts index 548b2b6bc98..a7bfee3ea92 100644 --- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts +++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts @@ -8,6 +8,7 @@ import { import { generateTableID } from "../../../../db/utils" import { validate } from "../utils" import { generator } from "@budibase/backend-core/tests" +import { withEnv } from "../../../../environment" describe("validate", () => { const hour = () => generator.hour().toString().padStart(2, "0") @@ -332,4 +333,46 @@ describe("validate", () => { }) }) }) + + describe("XSS Safe mode", () => { + const getTable = (): Table => ({ + type: "table", + _id: generateTableID(), + name: "table", + sourceId: INTERNAL_TABLE_SOURCE_ID, + sourceType: TableSourceType.INTERNAL, + schema: { + text: { + name: "sometext", + type: FieldType.STRING, + }, + }, + }) + it.each([ + "SELECT * FROM users WHERE username = 'admin' --", + "SELECT * FROM users WHERE id = 1; DROP TABLE users;", + "1' OR '1' = '1", + "' OR 'a' = 'a", + "", + '">', + "", + "