fix: prevent HTML injection in the cockpit (#1381)

This commit is contained in:
André Medeiros 2019-03-05 14:14:58 -05:00 committed by GitHub
parent 41256cfb00
commit 78201ce9df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 2 deletions

View File

@ -1,6 +1,7 @@
require('colors');
let fs = require('./fs.js');
const date = require('date-and-time');
const escapeHtml = require('../utils/escapeHtml');
const DATE_FORMAT = 'YYYY-MM-DD HH:mm:ss:SSS';
const LOG_REGEX = new RegExp(/\[(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d:\d\d\d)\] (?:\[(\w*)\]:?)?\s?\s?(.*)/gmi);
@ -71,6 +72,7 @@ Logger.prototype.registerAPICall = function (plugins) {
'/embark-api/logs',
(ws, _req) => {
self.events.on("log", function (logLevel, logMsg) {
logMsg = escapeHtml(logMsg);
ws.send(JSON.stringify({msg: logMsg, msg_clear: logMsg.stripColors, logLevel: logLevel}), () => {});
});
}

View File

@ -1,6 +1,7 @@
/*globals __*/
const env = require("../../core/env");
const utils = require("../../utils/utils");
const escapeHtml = require("../../utils/escapeHtml");
import { Callback } from "embark";
const stringify = require("json-stringify-safe");
import { waterfall } from "async";
@ -102,8 +103,12 @@ class Console {
let response = result;
if (typeof result !== "string") {
response = stringify(result, utils.jsonFunctionReplacer, 2);
}
this.logger.info(response);
} else {
// Avoid HTML injection in the Cockpit
this.logger.info(response);
response = escapeHtml(response);
}
return res.send({ result: response });
});
});

View File

@ -1,4 +1,5 @@
const LogHandler = require('../../utils/logHandler');
const escapeHtml = require('../../utils/escapeHtml');
class ProcessLogsApi {
constructor({embark, processName, silent}) {
@ -18,6 +19,9 @@ class ProcessLogsApi {
apiRoute,
(ws, _req) => {
this.events.on('process-log-' + this.processName, function (log) {
log.msg = escapeHtml(log.msg);
log.msg_clear = escapeHtml(log.msg_clear);
ws.send(JSON.stringify(log), () => {});
});
}
@ -28,7 +32,10 @@ class ProcessLogsApi {
(req, res) => {
let limit = parseInt(req.query.limit, 10);
if (!Number.isInteger(limit)) limit = 0;
const result = this.logHandler.logs.slice(limit * -1);
const result = this.logHandler.logs
.slice(limit * -1)
.map(msg => escapeHtml(msg));
res.send(JSON.stringify(result));
}
);

View File

@ -0,0 +1,12 @@
function escapeHtml(message) {
if(typeof message !== "string") return message;
return message
.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/\"/g, "&quot;")
.replace(/\'/g, "&#39;");
}
module.exports = escapeHtml;