mirror of https://github.com/embarklabs/embark.git
fix: prevent HTML injection in the cockpit (#1381)
This commit is contained in:
parent
41256cfb00
commit
78201ce9df
|
@ -1,6 +1,7 @@
|
|||
require('colors');
|
||||
let fs = require('./fs.js');
|
||||
const date = require('date-and-time');
|
||||
const escapeHtml = require('../utils/escapeHtml');
|
||||
|
||||
const DATE_FORMAT = 'YYYY-MM-DD HH:mm:ss:SSS';
|
||||
const LOG_REGEX = new RegExp(/\[(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d:\d\d\d)\] (?:\[(\w*)\]:?)?\s?\s?(.*)/gmi);
|
||||
|
@ -71,6 +72,7 @@ Logger.prototype.registerAPICall = function (plugins) {
|
|||
'/embark-api/logs',
|
||||
(ws, _req) => {
|
||||
self.events.on("log", function (logLevel, logMsg) {
|
||||
logMsg = escapeHtml(logMsg);
|
||||
ws.send(JSON.stringify({msg: logMsg, msg_clear: logMsg.stripColors, logLevel: logLevel}), () => {});
|
||||
});
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
/*globals __*/
|
||||
const env = require("../../core/env");
|
||||
const utils = require("../../utils/utils");
|
||||
const escapeHtml = require("../../utils/escapeHtml");
|
||||
import { Callback } from "embark";
|
||||
const stringify = require("json-stringify-safe");
|
||||
import { waterfall } from "async";
|
||||
|
@ -102,8 +103,12 @@ class Console {
|
|||
let response = result;
|
||||
if (typeof result !== "string") {
|
||||
response = stringify(result, utils.jsonFunctionReplacer, 2);
|
||||
}
|
||||
this.logger.info(response);
|
||||
} else {
|
||||
// Avoid HTML injection in the Cockpit
|
||||
this.logger.info(response);
|
||||
response = escapeHtml(response);
|
||||
}
|
||||
return res.send({ result: response });
|
||||
});
|
||||
});
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
const LogHandler = require('../../utils/logHandler');
|
||||
const escapeHtml = require('../../utils/escapeHtml');
|
||||
|
||||
class ProcessLogsApi {
|
||||
constructor({embark, processName, silent}) {
|
||||
|
@ -18,6 +19,9 @@ class ProcessLogsApi {
|
|||
apiRoute,
|
||||
(ws, _req) => {
|
||||
this.events.on('process-log-' + this.processName, function (log) {
|
||||
log.msg = escapeHtml(log.msg);
|
||||
log.msg_clear = escapeHtml(log.msg_clear);
|
||||
|
||||
ws.send(JSON.stringify(log), () => {});
|
||||
});
|
||||
}
|
||||
|
@ -28,7 +32,10 @@ class ProcessLogsApi {
|
|||
(req, res) => {
|
||||
let limit = parseInt(req.query.limit, 10);
|
||||
if (!Number.isInteger(limit)) limit = 0;
|
||||
const result = this.logHandler.logs.slice(limit * -1);
|
||||
const result = this.logHandler.logs
|
||||
.slice(limit * -1)
|
||||
.map(msg => escapeHtml(msg));
|
||||
|
||||
res.send(JSON.stringify(result));
|
||||
}
|
||||
);
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
function escapeHtml(message) {
|
||||
if(typeof message !== "string") return message;
|
||||
|
||||
return message
|
||||
.replace(/&/g, "&")
|
||||
.replace(/</g, "<")
|
||||
.replace(/>/g, ">")
|
||||
.replace(/\"/g, """)
|
||||
.replace(/\'/g, "'");
|
||||
}
|
||||
|
||||
module.exports = escapeHtml;
|
Loading…
Reference in New Issue