fix: Remove XSS Vulnerability in runbookUrl

Used the isUrlSafe Util to check the url's before rendering the `Runbook URL` button, if they aree unsafe it won't render. Also added some simple console logs for feedback
newrelic · May 5, 2021 · c4c2de8 · c4c2de8
1 parent 6f50faf
commit c4c2de8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/nerdlets/geo-ops-nerdlet/ViewMap/DetailPanel/Header/index.js b/nerdlets/geo-ops-nerdlet/ViewMap/DetailPanel/Header/index.js
@@ -18,7 +18,7 @@ import {
   ChartContainer
 } from './styles';
 
-import { statusColor } from '../../../../shared/utils';
+import { statusColor, isUrlSafe } from '../../../../shared/utils';
 
 export default class Header extends React.PureComponent {
   static propTypes = {
@@ -77,8 +77,13 @@ export default class Header extends React.PureComponent {
     if (!mapLocation) {
       return null;
     }
-
-    const runbookUrl = mapLocation.runbookUrl || map.runbookUrl || false;
+    console.log(`Map Location Runbook URL is safe: ${isUrlSafe(mapLocation.runbookUrl)}`);
+    console.log(`Map Runbook URL is safe: ${isUrlSafe(map.runbookUrl)}`);
+    const runbookUrl = (isUrlSafe(mapLocation.runbookUrl) ? mapLocation.runbookUrl : false) 
+                        || 
+                        (isUrlSafe(map.runbookUrl) ? map.runbookUrl : false) 
+                        || 
+                        false;
     const contactEmail = mapLocation.contactEmail || map.contactEmail || false;
 
     return (

diff --git a/nerdlets/shared/utils/index.js b/nerdlets/shared/utils/index.js
@@ -212,3 +212,18 @@ export const generateIcon = (mapLocation, isSelectedIcon) => {
     `
   });
 };
+
+// Sanitising URL's
+export const isUrlSafe = url => {
+  try {
+    const fullUrl = new URL(url);
+    const protocol = fullUrl.protocol;
+
+    if (protocol === 'https:' || protocol === 'http:') {
+      return true;
+    }
+  } catch {
+    return false;
+  }
+  return false;
+};