fix: xss vulnerability patch for 4.3.1

Author: bartoszherba

.changeset/nervous-pets-sip.md

@@ -0,0 +1,5 @@
+---
+"@vue-storefront/middleware": patch
+---
+
+- **[FIXED]** Now parameters are properly sanitized and validated before being used in the middleware.

packages/middleware/__tests__/integration/createServer.spec.ts

@@ -13,38 +13,38 @@ describe("[Integration] Create server", () => {
           configuration: {
             myCfgEntry: true,
           },
-          errorHandler: (error: unknown, req: any, res: any) => {
+          errorHandler: (_error: unknown, _req: any, res: any) => {
             res.status(410); // awkward status code to test if it's working
             res.send("Custom error handler");
           },
           location: "./__tests__/integration/bootstrap/server",
-          extensions() {
-            return [
+          extensions: (extensions) =>
+            [
+              ...extensions,
               {
                 name: "my-extension",
                 extendApiMethods: {
-                  myFunc(context) {
+                  myFunc: (context) => {
                     return context.api.success();
                   },
-                  myFuncWithDependencyToOtherExtension(context) {
-                    return (context.api as any).myFunc();
+                  myFuncWithDependencyToOtherExtension: (context) => {
+                    return context.api.myFunc();
                   },
                 },
               },
               {
                 name: "my-namespaced-extension",
                 isNamespaced: true,
                 extendApiMethods: {
-                  myFunc(context) {
+                  myFunc: (context) => {
                     return context.api.error();
                   },
-                  myFuncNamespaced(context) {
+                  myFuncNamespaced: (context) => {
                     return context.api.success();
                   },
                 },
               },
-            ];
-          },
+            ] as any,
         },
       },
     });
@@ -132,7 +132,7 @@ describe("[Integration] Create server", () => {
           configuration: {
             myCfgEntry: true,
           },
-          errorHandler: (error: unknown, req: any, res: any) => {
+          errorHandler: (_error: unknown, _req: any, res: any) => {
             res.status(410); // awkward status code to test if it's working
             res.send("Custom error handler");
           },
@@ -208,4 +208,27 @@ describe("[Integration] Create server", () => {
     expect(status).toEqual(200);
     expect(response).toEqual(apiMethodResult);
   });
+
+  describe("prevent XSS attacks", () => {
+    test.each([
+      [
+        "/z--%3E%3C!--hi--%3E%3Cimg%20src=x%20onerror=alert('DOM--XSS')%3E%3C!--%3C%3C/success",
+        `"z--&gt;<img src>" integration is not configured. Please, check the request path or integration configuration.`,
+      ],
+      [
+        "/test_integration/z--%3E%3C!--hi--%3E%3Cimg%20src=x%20onerror=alert('DOM--XSS')%3E%3C!--%3C%3C",
+        `Failed to resolve apiClient or function: The function "z--&gt;<img src>" is not registered.`,
+      ],
+      [
+        "/test_integration/z--%3E%3C!--hi--%3E%3Cimg%20src=x%20onerror=alert('DOM--XSS')%3E%3C!--%3C%3C/success",
+        `Failed to resolve apiClient or function: Extension "z--&gt;<img src>" is not namespaced or the function "success" is not available in the namespace.`,
+      ],
+    ])("Use case: %s", async (maliciousUrl, expectedMessage) => {
+      const res = await request(app).get(maliciousUrl).send();
+      expect(res.error && res.error.text).not.toContain(
+        "z--><!--hi--><img src=x onerror=alert('DOM--XSS')><!--<<"
+      );
+      expect(res.error && res.error.text).toEqual(expectedMessage);
+    });
+  });
 });

packages/middleware/package.json

@@ -24,7 +24,8 @@
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "express": "^4.18.1",
-    "helmet": "^5.1.1"
+    "helmet": "^5.1.1",
+    "xss": "^1.0.15"
   },
   "devDependencies": {
     "@types/body-parser": "^1.19.2",

packages/middleware/src/createServer.ts

@@ -17,6 +17,7 @@ import {
   prepareErrorHandler,
   prepareArguments,
   callApiFunction,
+  validateParams,
 } from "./handlers";
 
 const defaultCorsOptions: CreateServerOptions["cors"] = {
@@ -65,13 +66,15 @@ async function createServer<
 
   app.post(
     "/:integrationName/:extensionName?/:functionName",
+    validateParams(integrations),
     prepareApiFunction(integrations),
     prepareErrorHandler(integrations),
     prepareArguments,
     callApiFunction
   );
   app.get(
     "/:integrationName/:extensionName?/:functionName",
+    validateParams(integrations),
     prepareApiFunction(integrations),
     prepareErrorHandler(integrations),
     prepareArguments,

packages/middleware/src/handlers/index.ts

@@ -2,3 +2,4 @@ export * from "./callApiFunction";
 export * from "./prepareApiFunction";
 export * from "./prepareErrorHandler";
 export * from "./prepareArguments";
+export * from "./validateParams";

packages/middleware/src/handlers/validateParams/index.ts

@@ -0,0 +1,25 @@
+import xss from "xss";
+import type { Request, Response, NextFunction } from "express";
+import { IntegrationsLoaded } from "../../types";
+
+export function validateParams(integrations: IntegrationsLoaded) {
+  return (req: Request, res: Response, next: NextFunction) => {
+    // Validate & sanitize the request params
+    Object.entries(req.params).forEach(([key, value]) => {
+      req.params[key] = typeof value === "string" ? xss(value) : value;
+    });
+
+    // Validate the integration
+    const { integrationName } = req.params;
+    if (!integrations || !integrations[integrationName]) {
+      res.status(404);
+      res.send(
+        `"${integrationName}" integration is not configured. Please, check the request path or integration configuration.`
+      );
+
+      return;
+    }
+
+    next();
+  };
+}

yarn.lock

@@ -7829,7 +7829,7 @@ commander@^10.0.0:
   resolved "https://registry.yarnpkg.com/commander/-/commander-10.0.1.tgz#881ee46b4f77d1c1dccc5823433aa39b022cbe06"
   integrity sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==
 
-commander@^2.18.0, commander@^2.20.0:
+commander@^2.18.0, commander@^2.20.0, commander@^2.20.3:
   version "2.20.3"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
   integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@@ -8254,6 +8254,11 @@ cssesc@^3.0.0:
   resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
   integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
 
+[email protected]:
+  version "0.0.10"
+  resolved "https://registrynpm.storefrontcloud.io/cssfilter/-/cssfilter-0.0.10.tgz#c6d2672632a2e5c83e013e6864a42ce8defd20ae"
+  integrity sha1-xtJnJjKi5cg+AT5oZKQs6N79IK4=
+
 cssnano-preset-default@^7.0.1:
   version "7.0.1"
   resolved "https://registry.yarnpkg.com/cssnano-preset-default/-/cssnano-preset-default-7.0.1.tgz#b05c93a29868dd7bd810fa8bbf89f482804da922"
@@ -18469,7 +18474,16 @@ string-length@^4.0.1:
     char-regex "^1.0.2"
     strip-ansi "^6.0.0"
 
-"string-width-cjs@npm:string-width@^4.2.0", "string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.0.0, string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+"string-width-cjs@npm:string-width@^4.2.0":
+  version "4.2.3"
+  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
+  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
+  dependencies:
+    emoji-regex "^8.0.0"
+    is-fullwidth-code-point "^3.0.0"
+    strip-ansi "^6.0.1"
+
+"string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.0.0, string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
   version "4.2.3"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
   integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -18592,7 +18606,7 @@ string_decoder@~1.1.1:
   dependencies:
     safe-buffer "~5.1.0"
 
-"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+"strip-ansi-cjs@npm:strip-ansi@^6.0.1":
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -18606,6 +18620,13 @@ strip-ansi@^3.0.0:
   dependencies:
     ansi-regex "^2.0.0"
 
+strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
+  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
+  dependencies:
+    ansi-regex "^5.0.1"
+
 strip-ansi@^7.0.1:
   version "7.1.0"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-7.1.0.tgz#d5b6568ca689d8561370b0707685d22434faff45"
@@ -20657,7 +20678,7 @@ wordwrap@^1.0.0:
   resolved "https://registry.yarnpkg.com/wordwrap/-/wordwrap-1.0.0.tgz#27584810891456a4171c8d0226441ade90cbcaeb"
   integrity sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==
 
-"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
+"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0":
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
   integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
@@ -20675,6 +20696,15 @@ wrap-ansi@^6.0.1, wrap-ansi@^6.2.0:
     string-width "^4.1.0"
     strip-ansi "^6.0.0"
 
+wrap-ansi@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
+  integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
+  dependencies:
+    ansi-styles "^4.0.0"
+    string-width "^4.1.0"
+    strip-ansi "^6.0.0"
+
 wrap-ansi@^8.0.1, wrap-ansi@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"
@@ -20798,6 +20828,14 @@ xmlchars@^2.2.0:
   resolved "https://registry.yarnpkg.com/xmlchars/-/xmlchars-2.2.0.tgz#060fe1bcb7f9c76fe2a17db86a9bc3ab894210cb"
   integrity sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==
 
+xss@^1.0.15:
+  version "1.0.15"
+  resolved "https://registrynpm.storefrontcloud.io/xss/-/xss-1.0.15.tgz#96a0e13886f0661063028b410ed1b18670f4e59a"
+  integrity sha512-FVdlVVC67WOIPvfOwhoMETV72f6GbW7aOabBC3WxN/oUdoEMDyLz4OgRv5/gck2ZeNqEQu+Tb0kloovXOfpYVg==
+  dependencies:
+    commander "^2.20.3"
+    cssfilter "0.0.10"
+
 xtend@^4.0.0, xtend@~4.0.1:
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"