XSS safe mode to prevent unsanitised input

2024-10-07 16:47:49 +01:00 · 2024-10-07 16:47:49 +01:00 · ce61af1331
parent af2071c60c
commit ce61af1331
2 changed files with 11 additions and 6 deletions
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@ -354,7 +354,7 @@ describe("validate", () => {
      "1' OR '1' = '1",
      "' OR 'a' = 'a",
      "<script>alert('XSS');</script>",
-      "\"><img src=x onerror=alert(1)>",
+      '"><img src=x onerror=alert(1)>',
      "</script><script>alert('test')</script>",
      "<div onmouseover=\"alert('XSS')\">Hover over me!</div>",
      "'; EXEC sp_msforeachtable 'DROP TABLE ?'; --",
@ -362,14 +362,16 @@ describe("validate", () => {
      "UNION SELECT * FROM users",
      "INSERT INTO users (username, password) VALUES ('admin', 'password')",
      "/* This is a comment */ SELECT * FROM users",
-      "<iframe src=\"http://malicious-site.com\"></iframe>"
-    ])('test potentially unsafe input: %s', async input => {
+      '<iframe src="http://malicious-site.com"></iframe>',
+    ])("test potentially unsafe input: %s", async input => {
      environment.XSS_SAFE_MODE = true
      const table = getTable()
      const row = { text: input }
      const output = await validate({ source: table, row })
      expect(output.valid).toBe(false)
-      expect(output.errors).toBe(["Input not sanitised - potentially vulnerable to XSS"])
+      expect(output.errors).toBe([
+        "Input not sanitised - potentially vulnerable to XSS",
+      ])
      environment.XSS_SAFE_MODE = false
    })
  })
--- a/packages/server/src/sdk/app/rows/utils.ts
+++ b/packages/server/src/sdk/app/rows/utils.ts
@ -44,7 +44,8 @@ const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
  [SourceName.BUDIBASE]: undefined,
 }

-const XSS_INPUT_REGEX =  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i
+const XSS_INPUT_REGEX =
+  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i

 export function getSQLClient(datasource: Datasource): SqlClient {
  if (!isSQL(datasource)) {
@ -228,7 +229,9 @@ export async function validate({

    if (env.XSS_SAFE_MODE && typeof row[fieldName] === "string") {
      if (XSS_INPUT_REGEX.test(row[fieldName])) {
-        errors[fieldName] = ['Input not sanitised - potentially vulnerable to XSS']
+        errors[fieldName] = [
+          "Input not sanitised - potentially vulnerable to XSS",
+        ]
      }
    }