CMDCT-4228: Address Pen Test Findings (#12000)

Co-authored-by: Jon Holman <[email protected]>

services/app-api/utils/sanitize/sanitize.test.ts

@@ -12,47 +12,25 @@ const safeUndefined = undefined;
 
 const cleanString = "test";
 
-const dirtyImgString = '<img src="foo.png" onload="alert("Hello!")"/>';
-const cleanImgString = '<img src="foo.png">';
-
-const dirtyLinkString = "<UL><li><A HREF=//google.com>click</UL>";
+const dirtyLinkString = "<ul><li><a href=//google.com>click</ul>";
 const cleanLinkString = '<ul><li><a href="//google.com">click</a></li></ul>';
 
-const dirtyScriptString =
-  "<math><mi//xlink:href='data:x,<script>alert(4)</script>'>";
-const cleanScriptString = "<math><mi></mi></math>";
-
-const dirtySvgString = "<svg><g/onload=alert(2)//<p>";
-const cleanSvgString = "<svg><g></g></svg>";
-
 // ARRAYS
 
-const dirtyStringArray = [
-  cleanString,
-  dirtyImgString,
-  dirtyLinkString,
-  dirtySvgString,
-  dirtyScriptString,
-];
-const cleanStringArray = [
-  cleanString,
-  cleanImgString,
-  cleanLinkString,
-  cleanSvgString,
-  cleanScriptString,
-];
+const dirtyStringArray = [cleanString, dirtyLinkString];
+const cleanStringArray = [cleanString, cleanLinkString];
 
 const dirtyNestedStringArray = [dirtyStringArray, dirtyStringArray];
 const cleanNestedStringArray = [cleanStringArray, cleanStringArray];
 
 // OBJECTS
 
 const dirtyObject = {
-  string: dirtyImgString,
+  string: dirtyLinkString,
   array: dirtyStringArray,
 };
 const cleanObject = {
-  string: cleanImgString,
+  string: cleanLinkString,
   array: cleanStringArray,
 };
 
@@ -61,10 +39,7 @@ const cleanObjectArray = [cleanObject, cleanObject];
 
 const dirtyComplexObject = {
   string1: cleanString,
-  string2: dirtyImgString,
-  string3: dirtyLinkString,
-  string4: dirtySvgString,
-  string5: dirtyScriptString,
+  string2: dirtyLinkString,
   array: dirtyStringArray,
   nestedStringArray: dirtyNestedStringArray,
   nestedObjectArray: dirtyObjectArray,
@@ -74,10 +49,7 @@ const dirtyComplexObject = {
 };
 const cleanComplexObject = {
   string1: cleanString,
-  string2: cleanImgString,
-  string3: cleanLinkString,
-  string4: cleanSvgString,
-  string5: cleanScriptString,
+  string2: cleanLinkString,
   array: cleanStringArray,
   nestedStringArray: cleanNestedStringArray,
   nestedObjectArray: cleanObjectArray,
@@ -93,10 +65,7 @@ describe("Test sanitizeString", () => {
   });
 
   test("Test sanitizeString cleans dirty strings", () => {
-    expect(sanitizeString(dirtyImgString)).toEqual(cleanImgString);
     expect(sanitizeString(dirtyLinkString)).toEqual(cleanLinkString);
-    expect(sanitizeString(dirtySvgString)).toEqual(cleanSvgString);
-    expect(sanitizeString(dirtyScriptString)).toEqual(cleanScriptString);
   });
 });
 

services/app-api/utils/sanitize/sanitize.ts

@@ -4,6 +4,22 @@ import { JSDOM } from "jsdom";
 const windowEmulator: any = new JSDOM("").window;
 const DOMPurify = createDOMPurify(windowEmulator);
 
+/*
+ * DOMPurify prevents all XSS attacks by default. With these settings, it also
+ * prevents "deception" attacks. If an attacker could put <div style="...">
+ * into the site's admin banner, they could make give the banner any appearance,
+ * overlaid anywhere on the page. For example, a fake "session expired" modal
+ * with a malicious link. Thus, this very strict DOMPurify config.
+ */
+DOMPurify.setConfig({
+  // Only these tags will be allowed through
+  ALLOWED_TAGS: ["ul", "ol", "li", "a", "#text"],
+  // On those tags, only these attributes are allowed
+  ALLOWED_ATTR: ["href", "alt"],
+  // If a tag is removed, so will all its child elements & text
+  KEEP_CONTENT: false,
+});
+
 // sanitize string
 export const sanitizeString = (string: string) => {
   if (DOMPurify.isSupported) {

services/ui-src/src/components/alerts/Alert.tsx

@@ -45,7 +45,7 @@ export const Alert = ({
                 : alertIcon
             }
             sx={sx.icon}
-            alt={status}
+            alt={status || "alert"}
           />
         )}
         <Box sx={sx.contentBox} className={!showIcon ? "no-icon" : ""}>