fix(tickets): security fix

polonel · May 14, 2022 · 36a542a · 36a542a
1 parent 87e231e
commit 36a542a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
@@ -233,16 +233,22 @@ ticketsController.filter = function (req, res, next) {
 
   const rawNoPage = req.originalUrl.replace(/[?&]page=[^&#]*(#.*)?$/, '$1').replace(/([?&])page=[^&]*&/, '$1')
 
+  if (!_.isUndefined(status)) status = xss(status)
   if (!_.isUndefined(status) && !_.isArray(status)) status = [status]
+  if (!_.isUndefined(priority)) priority = xss(priority)
   if (!_.isUndefined(priority) && !_.isArray(priority)) priority = [priority]
+  if (!_.isUndefined(groups)) groups = xss(groups)
   if (!_.isUndefined(groups) && !_.isArray(groups)) groups = [groups]
+  if (!_.isUndefined(types)) types = xss(types)
   if (!_.isUndefined(types) && !_.isArray(types)) types = [types]
+  if (!_.isUndefined(tags)) tags = xss(tags)
   if (!_.isUndefined(tags) && !_.isArray(tags)) tags = [tags]
+  if (!_.isUndefined(assignee)) assignee = xss(assignee)
   if (!_.isUndefined(assignee) && !_.isArray(assignee)) assignee = [assignee]
 
   const filter = {
     uid: uid,
-    subject: subject,
+    subject: xss(subject),
     issue: issue,
     date: {
       start: dateStart,

diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js
@@ -20,6 +20,10 @@ const piexifjs = require('piexifjs')
 const MAX_FIELD_TEXT_LENGTH = 255
 const MAX_SHORT_FIELD_TEXT_LENGTH = 25
 
+module.exports.applyMaxTextLength = function (text) {
+  return text.toString().substring(0, MAX_FIELD_TEXT_LENGTH)
+}
+
 module.exports.applyMaxShortTextLength = function (text) {
   return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH)
 }