-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Mustache.escape fix #85
Conversation
@@ -113,10 +113,10 @@ | |||
if (event.eventTypeId == EVENT_TYPE.ScoopNotification){ | |||
const date = moment(event.eventTime); | |||
event.payload.scoopNotificationConfig.data.interceptedAt = date.unix(); | |||
jsons = Mustache.render(Mustache.escape(template), event.payload.scoopNotificationConfig.data); | |||
jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data); |
Check failure
Code scanning / CodeQL
Code injection Critical
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 months ago
To fix the problem, we need to ensure that the template
used in Mustache.render
is sanitized and validated before rendering. This can be achieved by:
- Validating the
template
to ensure it does not contain any malicious code. - Using a safe method to pass user input into the template rendering process.
The best way to fix this without changing existing functionality is to use context-specific escaping and validation for the template
before rendering it with Mustache
.
-
Copy modified line R116 -
Copy modified line R119 -
Copy modified lines R137-R143
@@ -115,6 +115,6 @@ | ||
event.payload.scoopNotificationConfig.data.interceptedAt = date.unix(); | ||
jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data); | ||
jsons = Mustache.render(this.sanitizeTemplate(template), event.payload.scoopNotificationConfig.data); | ||
}else { | ||
let parsedEvent = this.mh.parseEventForWebhook(event as Event); | ||
jsons = Mustache.render(template, parsedEvent); | ||
jsons = Mustache.render(this.sanitizeTemplate(template), parsedEvent); | ||
} | ||
@@ -136,2 +136,9 @@ | ||
|
||
private sanitizeTemplate(template: string): string { | ||
// Implement template sanitization logic here | ||
// For example, remove any potentially dangerous code or characters | ||
// This is a placeholder implementation | ||
return template.replace(/<script.*?>.*?<\/script>/gi, ''); | ||
} | ||
|
||
private saveNotificationEventSuccessLog(result: any, event: Event, p: any, setting: NotificationSettings) { |
}else { | ||
let parsedEvent = this.mh.parseEventForWebhook(event as Event); | ||
jsons = Mustache.render(Mustache.escape(template), parsedEvent); | ||
jsons = Mustache.render(template, parsedEvent); |
Check failure
Code scanning / CodeQL
Code injection Critical
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 months ago
To fix the problem, we need to ensure that the template
used in Mustache.render
is sanitized and validated before rendering. This can be achieved by escaping any potentially dangerous characters in the user-provided input. Additionally, we should validate the structure of the template
to ensure it conforms to expected patterns.
- Sanitize the template: Use a library like
DOMPurify
to sanitize the template string. - Validate the template: Ensure the template conforms to expected patterns and does not contain any unexpected or dangerous content.
-
Copy modified line R21 -
Copy modified lines R117-R118 -
Copy modified lines R121-R122
@@ -20,2 +20,3 @@ | ||
import Mustache from 'mustache'; | ||
import DOMPurify from 'dompurify'; | ||
import { EventLogBuilder } from "../../common/eventLogBuilder"; | ||
@@ -115,6 +116,8 @@ | ||
event.payload.scoopNotificationConfig.data.interceptedAt = date.unix(); | ||
jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data); | ||
const sanitizedTemplate = DOMPurify.sanitize(template); | ||
jsons = Mustache.render(sanitizedTemplate, event.payload.scoopNotificationConfig.data); | ||
}else { | ||
let parsedEvent = this.mh.parseEventForWebhook(event as Event); | ||
jsons = Mustache.render(template, parsedEvent); | ||
const sanitizedTemplate = DOMPurify.sanitize(template); | ||
jsons = Mustache.render(sanitizedTemplate, parsedEvent); | ||
} |
-
Copy modified lines R42-R43
@@ -41,3 +41,4 @@ | ||
"typeorm": "0.3.17", | ||
"winston": "^3.2.1" | ||
"winston": "^3.2.1", | ||
"dompurify": "^3.1.7" | ||
}, |
Package | Version | Security advisories |
dompurify (npm) | 3.1.7 | None |
No description provided.