fixing vulns for ent client

2024-10-07 16:44:28 +01:00 · 2024-10-07 16:44:28 +01:00 · af2071c60c
parent db25511948
commit af2071c60c
5 changed files with 54 additions and 2 deletions
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@ -51,7 +51,7 @@ http {
    proxy_buffering off;

    set $csp_default "default-src 'self'";
-    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
+    set $csp_script "script-src 'self' 'nonce-builderPreview' unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
    set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
    set $csp_object "object-src 'none'";
    set $csp_base_uri "base-uri 'self'";
--- a/packages/server/src/api/controllers/static/templates/preview.hbs
+++ b/packages/server/src/api/controllers/static/templates/preview.hbs
@ -31,7 +31,7 @@
    }
  </style>
  <script src='{{ clientLibPath }}'></script>
-  <script>
+  <script nonce="builderPreview">
    function receiveMessage(event) {
      if (!event.data) {
        return
--- a/packages/server/src/environment.ts
+++ b/packages/server/src/environment.ts
@ -83,6 +83,7 @@ const environment = {
  PLUGINS_DIR: process.env.PLUGINS_DIR || DEFAULTS.PLUGINS_DIR,
  MAX_IMPORT_SIZE_MB: process.env.MAX_IMPORT_SIZE_MB,
  SESSION_EXPIRY_SECONDS: process.env.SESSION_EXPIRY_SECONDS,
+  XSS_SAFE_MODE: process.env.XSS_SAFE_MODE,
  // SQL
  SQL_MAX_ROWS: process.env.SQL_MAX_ROWS,
  SQL_LOGGING_ENABLE: process.env.SQL_LOGGING_ENABLE,
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@ -8,6 +8,7 @@ import {
 import { generateTableID } from "../../../../db/utils"
 import { validate } from "../utils"
 import { generator } from "@budibase/backend-core/tests"
+import environment from "../../../../environment"

 describe("validate", () => {
  const hour = () => generator.hour().toString().padStart(2, "0")
@ -332,4 +333,44 @@ describe("validate", () => {
      })
    })
  })
+
+  describe("XSS Safe mode", () => {
+    const getTable = (): Table => ({
+      type: "table",
+      _id: generateTableID(),
+      name: "table",
+      sourceId: INTERNAL_TABLE_SOURCE_ID,
+      sourceType: TableSourceType.INTERNAL,
+      schema: {
+        text: {
+          name: "sometext",
+          type: FieldType.STRING,
+        },
+      },
+    })
+    it.each([
+      "SELECT * FROM users WHERE username = 'admin' --",
+      "SELECT * FROM users WHERE id = 1; DROP TABLE users;",
+      "1' OR '1' = '1",
+      "' OR 'a' = 'a",
+      "<script>alert('XSS');</script>",
+      "\"><img src=x onerror=alert(1)>",
+      "</script><script>alert('test')</script>",
+      "<div onmouseover=\"alert('XSS')\">Hover over me!</div>",
+      "'; EXEC sp_msforeachtable 'DROP TABLE ?'; --",
+      "{alert('Injected')}",
+      "UNION SELECT * FROM users",
+      "INSERT INTO users (username, password) VALUES ('admin', 'password')",
+      "/* This is a comment */ SELECT * FROM users",
+      "<iframe src=\"http://malicious-site.com\"></iframe>"
+    ])('test potentially unsafe input: %s', async input => {
+      environment.XSS_SAFE_MODE = true
+      const table = getTable()
+      const row = { text: input }
+      const output = await validate({ source: table, row })
+      expect(output.valid).toBe(false)
+      expect(output.errors).toBe(["Input not sanitised - potentially vulnerable to XSS"])
+      environment.XSS_SAFE_MODE = false
+    })
+  })
 })
--- a/packages/server/src/sdk/app/rows/utils.ts
+++ b/packages/server/src/sdk/app/rows/utils.ts
@ -22,6 +22,7 @@ import { extractViewInfoFromID, isRelationshipColumn } from "../../../db/utils"
 import { isSQL } from "../../../integrations/utils"
 import { docIds, sql } from "@budibase/backend-core"
 import { getTableFromSource } from "../../../api/controllers/row/utils"
+import env from "../../../environment"

 const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
  [SourceName.POSTGRES]: SqlClient.POSTGRES,
@ -43,6 +44,8 @@ const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
  [SourceName.BUDIBASE]: undefined,
 }

+const XSS_INPUT_REGEX =  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i
+
 export function getSQLClient(datasource: Datasource): SqlClient {
  if (!isSQL(datasource)) {
    throw new Error("Cannot get SQL Client for non-SQL datasource")
@ -222,6 +225,13 @@ export async function validate({
    } else {
      res = validateJs.single(row[fieldName], constraints)
    }
+
+    if (env.XSS_SAFE_MODE && typeof row[fieldName] === "string") {
+      if (XSS_INPUT_REGEX.test(row[fieldName])) {
+        errors[fieldName] = ['Input not sanitised - potentially vulnerable to XSS']
+      }
+    }
+
    if (res) errors[fieldName] = res
  }
  return { valid: Object.keys(errors).length === 0, errors }