-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): Fix XSS validation and separate URL validation #10424
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 0 additions & 43 deletions
43
packages/cli/src/databases/utils/__tests__/customValidators.test.ts
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
packages/cli/src/validators/__tests__/no-url.validator.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
import { NoUrl } from '../no-url.validator'; | ||
import { validate } from 'class-validator'; | ||
|
||
describe('NoUrl', () => { | ||
class Entity { | ||
@NoUrl() | ||
name = ''; | ||
} | ||
|
||
const entity = new Entity(); | ||
|
||
describe('URLs', () => { | ||
const URLS = ['http://google.com', 'www.domain.tld']; | ||
|
||
for (const str of URLS) { | ||
test(`should block ${str}`, async () => { | ||
entity.name = str; | ||
const errors = await validate(entity); | ||
expect(errors).toHaveLength(1); | ||
const [error] = errors; | ||
expect(error.property).toEqual('name'); | ||
expect(error.constraints).toEqual({ NoUrl: 'Potentially malicious string' }); | ||
}); | ||
} | ||
}); | ||
}); |
72 changes: 72 additions & 0 deletions
72
packages/cli/src/validators/__tests__/no-xss.validator.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
import { NoXss } from '../no-xss.validator'; | ||
import { validate } from 'class-validator'; | ||
|
||
describe('NoXss', () => { | ||
class Entity { | ||
@NoXss() | ||
name = ''; | ||
|
||
@NoXss() | ||
timestamp = ''; | ||
|
||
@NoXss() | ||
version = ''; | ||
} | ||
|
||
const entity = new Entity(); | ||
|
||
describe('Scripts', () => { | ||
const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"]; | ||
|
||
for (const str of XSS_STRINGS) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same in this test suite |
||
test(`should block ${str}`, async () => { | ||
entity.name = str; | ||
const errors = await validate(entity); | ||
expect(errors).toHaveLength(1); | ||
const [error] = errors; | ||
expect(error.property).toEqual('name'); | ||
expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' }); | ||
}); | ||
} | ||
}); | ||
|
||
describe('Names', () => { | ||
const VALID_NAMES = [ | ||
'Johann Strauß', | ||
'Вагиф Сәмәдоғлу', | ||
'René Magritte', | ||
'সুকুমার রায়', | ||
'མགོན་པོ་རྡོ་རྗེ།', | ||
'عبدالحليم حافظ', | ||
]; | ||
|
||
for (const name of VALID_NAMES) { | ||
test(`should allow ${name}`, async () => { | ||
entity.name = name; | ||
expect(await validate(entity)).toBeEmptyArray(); | ||
}); | ||
} | ||
}); | ||
|
||
describe('ISO-8601 timestamps', () => { | ||
const VALID_TIMESTAMPS = ['2022-01-01T00:00:00.000Z', '2022-01-01T00:00:00.000+02:00']; | ||
|
||
for (const timestamp of VALID_TIMESTAMPS) { | ||
test(`should allow ${timestamp}`, async () => { | ||
entity.timestamp = timestamp; | ||
await expect(validate(entity)).resolves.toBeEmptyArray(); | ||
}); | ||
} | ||
}); | ||
|
||
describe('Semver versions', () => { | ||
const VALID_VERSIONS = ['1.0.0', '1.0.0-alpha.1']; | ||
|
||
for (const version of VALID_VERSIONS) { | ||
test(`should allow ${version}`, async () => { | ||
entity.version = version; | ||
await expect(validate(entity)).resolves.toBeEmptyArray(); | ||
}); | ||
} | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator'; | ||
import { registerDecorator, ValidatorConstraint } from 'class-validator'; | ||
|
||
const URL_REGEX = /^(https?:\/\/|www\.)/i; | ||
|
||
@ValidatorConstraint({ name: 'NoUrl', async: false }) | ||
class NoUrlConstraint implements ValidatorConstraintInterface { | ||
validate(value: string) { | ||
return !URL_REGEX.test(value); | ||
} | ||
|
||
defaultMessage() { | ||
return 'Potentially malicious string'; | ||
} | ||
} | ||
|
||
export function NoUrl(options?: ValidationOptions) { | ||
return function (object: object, propertyName: string) { | ||
registerDecorator({ | ||
name: 'NoUrl', | ||
target: object.constructor, | ||
propertyName, | ||
options, | ||
validator: NoUrlConstraint, | ||
}); | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator'; | ||
import { registerDecorator, ValidatorConstraint } from 'class-validator'; | ||
import sanitizeHtml from 'sanitize-html'; | ||
|
||
@ValidatorConstraint({ name: 'NoXss', async: false }) | ||
class NoXssConstraint implements ValidatorConstraintInterface { | ||
validate(value: string) { | ||
return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} }); | ||
} | ||
|
||
defaultMessage() { | ||
return 'Potentially malicious string'; | ||
} | ||
} | ||
|
||
export function NoXss(options?: ValidationOptions) { | ||
return function (object: object, propertyName: string) { | ||
registerDecorator({ | ||
name: 'NoXss', | ||
target: object.constructor, | ||
propertyName, | ||
options, | ||
validator: NoXssConstraint, | ||
}); | ||
}; | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test.each
is made for cases like this:There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've always found a simple loop more readable and easier to remember, for
test.each
I always have to look up the syntax 😓 Istest.each
faster or better in some other way?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point. Personally I find
test.each
more readable :D There are subtle differences also, like mentioned in this SO comment