Merge pull request #3620 from RedisInsight/fe/bugfix/RI-5936

vlad-dargel · web-flow · commit 6caf2bff8e03 · 2024-07-18T19:02:50.000+03:00
#RI-5936 - update sanitizer
diff --git a/redisinsight/ui/src/utils/formatters/markdown/remarkSanitize.ts b/redisinsight/ui/src/utils/formatters/markdown/remarkSanitize.ts
@@ -1,5 +1,9 @@
 import { visit } from 'unist-util-visit'
 
+const permittedAttibutes = [
+  'dangerouslySetInnerHTML'
+]
+
 const dangerousAttributes = [
   'onabort', 'onafterprint', 'onanimationend', 'onanimationiteration', 'onanimationstart',
   'onbeforeprint', 'onbeforeunload', 'onblur', 'oncancel', 'oncanplay', 'oncanplaythrough',
@@ -17,10 +21,27 @@ const dangerousAttributes = [
   'background', 'poster', 'cite', 'data', 'ping', 'xlink:href', 'style', 'srcdoc', 'sandbox'
 ].join('|')
 
+// Define an array of potentially dangerous tags
+const dangerousTags = ['script', 'iframe', 'object', 'embed', 'link', 'style', 'meta']
+
 export const remarkSanitize = (): (tree: Node) => void => (tree: any) => {
   visit(tree, 'html', (node) => {
-    const dangerousAttrRegex = new RegExp(`\\s*(${dangerousAttributes})="[^"]*"`, 'gi')
+    const inputTag = node.value.toLowerCase()
+
+    // remove dangerous tags
+    if (dangerousTags.some((tag) => inputTag.startsWith(`<${tag}`))) {
+      node.value = ''
+      return
+    }
+
+    // remove permitted attributes
+    if (permittedAttibutes.some((attr) => node.value.includes(`${attr}=`))) {
+      node.value = ''
+      return
+    }
 
+    // sanitize dangerous attributes
+    const dangerousAttrRegex = new RegExp(`\\s*(${dangerousAttributes})="[^"]*"`, 'gi')
     if (node.value.match(dangerousAttrRegex)) {
       node.value = node.value.replace(dangerousAttrRegex, (match: string) => {
         const attr = match.toLowerCase().trim()
diff --git a/redisinsight/ui/src/utils/tests/formatters/markdown/remarkSanitize.spec.ts b/redisinsight/ui/src/utils/tests/formatters/markdown/remarkSanitize.spec.ts
@@ -10,6 +10,8 @@ const testCases = [
   { input: '<img onload="alert(1)">', output: '<img>' },
   { input: '<img src="javascript:alert(1)">', output: '<img>' },
   { input: '<img src="img.png">', output: '<img src="img.png">' },
+  { input: '<div dangerouslySetInnerHTML={{"__html": "<img src=x onerror=alert(\'this.still.works\')>"}} />', output: '' },
+  { input: '<script>', output: '' },
 ]
 
 describe('remarkSanitize', () => {

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ const testCases = [`
`10`	`10`	`{ input: '<img onload="alert(1)">', output: '<img>' },`
`11`	`11`	`{ input: '<img src="javascript:alert(1)">', output: '<img>' },`
`12`	`12`	`{ input: '<img src="img.png">', output: '<img src="img.png">' },`
	`13`	`+ { input: '<div dangerouslySetInnerHTML={{"__html": "<img src=x onerror=alert(\'this.still.works\')>"}} />', output: '' },`
	`14`	`+ { input: '<script>', output: '' },`
`13`	`15`	`]`
`14`	`16`
`15`	`17`	`describe('remarkSanitize', () => {`