fix: prevent HTML injection in the cockpit (#1381)

2019-03-05 14:14:58 -05:00 · 2019-03-05 14:14:58 -05:00 · 78201ce9df
parent 41256cfb00
commit 78201ce9df
4 changed files with 28 additions and 2 deletions
--- a/packages/embark/src/lib/core/logger.js
+++ b/packages/embark/src/lib/core/logger.js
@ -1,6 +1,7 @@
 require('colors');
 let fs = require('./fs.js');
 const date = require('date-and-time');
+const escapeHtml = require('../utils/escapeHtml');

 const DATE_FORMAT = 'YYYY-MM-DD HH:mm:ss:SSS';
 const LOG_REGEX = new RegExp(/\[(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d:\d\d\d)\] (?:\[(\w*)\]:?)?\s?\s?(.*)/gmi);
@ -71,6 +72,7 @@ Logger.prototype.registerAPICall = function (plugins) {
    '/embark-api/logs',
    (ws, _req) => {
      self.events.on("log", function (logLevel, logMsg) {
+        logMsg = escapeHtml(logMsg);
        ws.send(JSON.stringify({msg: logMsg, msg_clear: logMsg.stripColors, logLevel: logLevel}), () => {});
      });
    }
--- a/packages/embark/src/lib/modules/console/index.ts
+++ b/packages/embark/src/lib/modules/console/index.ts
@ -1,6 +1,7 @@
 /*globals __*/
 const env = require("../../core/env");
 const utils = require("../../utils/utils");
+const escapeHtml = require("../../utils/escapeHtml");
 import { Callback } from "embark";
 const stringify = require("json-stringify-safe");
 import { waterfall } from "async";
@ -102,8 +103,12 @@ class Console {
        let response = result;
        if (typeof result !== "string") {
          response = stringify(result, utils.jsonFunctionReplacer, 2);
+          this.logger.info(response);
+        } else {
+          // Avoid HTML injection in the Cockpit
+          this.logger.info(response);
+          response = escapeHtml(response);
        }
-        this.logger.info(response);
        return res.send({ result: response });
      });
    });
--- a/packages/embark/src/lib/modules/process_logs_api/index.js
+++ b/packages/embark/src/lib/modules/process_logs_api/index.js
@ -1,4 +1,5 @@
 const LogHandler = require('../../utils/logHandler');
+const escapeHtml = require('../../utils/escapeHtml');

 class ProcessLogsApi {
  constructor({embark, processName, silent}) {
@ -18,6 +19,9 @@ class ProcessLogsApi {
      apiRoute,
      (ws, _req) => {
        this.events.on('process-log-' + this.processName, function (log) {
+          log.msg = escapeHtml(log.msg);
+          log.msg_clear = escapeHtml(log.msg_clear);
+
          ws.send(JSON.stringify(log), () => {});
        });
      }
@ -28,7 +32,10 @@ class ProcessLogsApi {
      (req, res) => {
        let limit = parseInt(req.query.limit, 10);
        if (!Number.isInteger(limit)) limit = 0;
-        const result = this.logHandler.logs.slice(limit * -1);
+        const result = this.logHandler.logs
+          .slice(limit * -1)
+          .map(msg => escapeHtml(msg));
+
        res.send(JSON.stringify(result));
      }
    );
--- a/packages/embark/src/lib/utils/escapeHtml.js
+++ b/packages/embark/src/lib/utils/escapeHtml.js
@ -0,0 +1,12 @@
+function escapeHtml(message) {
+  if(typeof message !== "string") return message;
+
+  return message
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/\"/g, "&quot;")
+    .replace(/\'/g, "&#39;");
+}
+
+module.exports = escapeHtml;