Patches XSS vulnerability found in relay handlers (#485)

* Patches XSS vulnerability found in relay handlers * chore: Improved request validation for the client/criteria route
switcherapi · Mar 31, 2024 · 3357d79 · 3357d79
1 parent a3b7b3e
commit 3357d79
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 6 deletions.
diff --git a/src/client/relay/index.js b/src/client/relay/index.js
@@ -9,8 +9,9 @@ const agent = async (url) => {
 };
 
 export async function resolveNotification(relay, entry, environment) {
-    const url = relay.endpoint[environment];
-    const header = createHeader(relay.auth_prefix, relay.auth_token, environment);
+    const env = Object.keys(relay.endpoint).find(e => e === environment);
+    const url = relay.endpoint[env];
+    const header = createHeader(relay.auth_prefix, relay.auth_token, env);
 
     if (relay.method === RelayMethods.GET) {
         get(url, createParams(entry), header);
@@ -22,8 +23,9 @@ export async function resolveNotification(relay, entry, environment) {
 export async function resolveValidation(relay, entry, environment) {
     let response;
 
-    const url = relay.endpoint[environment];
-    const header = createHeader(relay.auth_prefix, relay.auth_token, environment);
+    const env = Object.keys(relay.endpoint).find(e => e === environment);
+    const url = relay.endpoint[env];
+    const header = createHeader(relay.auth_prefix, relay.auth_token, env);
 
     if (relay.method === RelayMethods.GET) {
         response = await get(url, createParams(entry), header);

diff --git a/src/routers/client-api.js b/src/routers/client-api.js
@@ -6,6 +6,7 @@ import { resolveCriteria, checkDomain } from '../client/resolvers';
 import { getConfigs } from '../services/config';
 import { body, check, query } from 'express-validator';
 import { clientLimiter } from '../middleware/limiter';
+import { StrategiesType } from '../models/config-strategy';
 
 const router = new express.Router();
 
@@ -14,8 +15,11 @@ const router = new express.Router();
 // GET /check?key=KEY&showStrategy=true
 // GET /check?key=KEY&bypassMetric=true
 router.post('/criteria', componentAuth, clientLimiter, [
-    query('key').isLength({ min: 1 }),
-    body('entry.*.input').isString()
+    query('key').isLength({ min: 1 }).withMessage('Key is required'),
+    body('entry').isArray().optional().withMessage('Entry must be an array'),
+    body('entry.*.input').isString(),
+    body('entry.*.strategy').isString()
+        .custom(value => Object.values(StrategiesType).includes(value)).withMessage('Invalid strategy type')
 ], validate, checkConfig, checkConfigComponent, async (req, res) => {
     try {
         const environment = req.environment;

diff --git a/tests/client-api.test.js b/tests/client-api.test.js
@@ -545,6 +545,46 @@ describe('Testing criteria [REST] ', () => {
         expect(req.body.result).toBe(false);
     });
 
+    test('CLIENT_SUITE - Should NOT return success on a entry-based CRITERIA response - Entry not an array', async () => {
+        await request(app)
+            .post(`/criteria?key=${keyConfig}&showReason=true&showStrategy=true`)
+            .set('Authorization', `Bearer ${token}`)
+            .send({
+                entry: {
+                    strategy: StrategiesType.VALUE,
+                    input: 'USER_1'
+                }})
+            .expect(422);
+    });
+
+    test('CLIENT_SUITE - Should NOT return success on a entry-based CRITERIA response - Invalid Strategy', async () => {
+        await request(app)
+            .post(`/criteria?key=${keyConfig}&showReason=true&showStrategy=true`)
+            .set('Authorization', `Bearer ${token}`)
+            .send({
+                entry: [
+                    {
+                        strategy: 'INVALID_STRATEGY',
+                        input: 'USER_1'
+                    }
+                ]})
+            .expect(422);
+    });
+
+    test('CLIENT_SUITE - Should NOT return success on a entry-based CRITERIA response - Missing key', async () => {
+        await request(app)
+            .post('/criteria?showReason=true&showStrategy=true')
+            .set('Authorization', `Bearer ${token}`)
+            .send({
+                entry: [
+                    {
+                        strategy: StrategiesType.VALUE,
+                        input: 'USER_1'
+                    }
+                ]})
+            .expect(422);
+    });
+
     test('CLIENT_SUITE - Should NOT return success on a entry-based CRITERIA response - Component not registered', async () => {
         // Given
         const component = new Component({