From 36a542abbbb74828338ce402d65653ac58db42e0 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Sat, 14 May 2022 16:11:35 -0400 Subject: [PATCH] fix(tickets): security fix --- src/controllers/tickets.js | 8 +++++++- src/helpers/utils/index.js | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js index db1cdb6c8..c88f5c797 100644 --- a/src/controllers/tickets.js +++ b/src/controllers/tickets.js @@ -233,16 +233,22 @@ ticketsController.filter = function (req, res, next) { const rawNoPage = req.originalUrl.replace(/[?&]page=[^&#]*(#.*)?$/, '$1').replace(/([?&])page=[^&]*&/, '$1') + if (!_.isUndefined(status)) status = xss(status) if (!_.isUndefined(status) && !_.isArray(status)) status = [status] + if (!_.isUndefined(priority)) priority = xss(priority) if (!_.isUndefined(priority) && !_.isArray(priority)) priority = [priority] + if (!_.isUndefined(groups)) groups = xss(groups) if (!_.isUndefined(groups) && !_.isArray(groups)) groups = [groups] + if (!_.isUndefined(types)) types = xss(types) if (!_.isUndefined(types) && !_.isArray(types)) types = [types] + if (!_.isUndefined(tags)) tags = xss(tags) if (!_.isUndefined(tags) && !_.isArray(tags)) tags = [tags] + if (!_.isUndefined(assignee)) assignee = xss(assignee) if (!_.isUndefined(assignee) && !_.isArray(assignee)) assignee = [assignee] const filter = { uid: uid, - subject: subject, + subject: xss(subject), issue: issue, date: { start: dateStart, diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js index da0c6f4ee..adaab761f 100644 --- a/src/helpers/utils/index.js +++ b/src/helpers/utils/index.js @@ -20,6 +20,10 @@ const piexifjs = require('piexifjs') const MAX_FIELD_TEXT_LENGTH = 255 const MAX_SHORT_FIELD_TEXT_LENGTH = 25 +module.exports.applyMaxTextLength = function (text) { + return text.toString().substring(0, MAX_FIELD_TEXT_LENGTH) +} + module.exports.applyMaxShortTextLength = function (text) { return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH) }