chore(security): fix issue where html was allowed in some input fields

polonel · Mar 31, 2022 · 4f48b3b · 4f48b3b
1 parent c5a9668
commit 4f48b3b
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 19 deletions.
diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js
@@ -12,7 +12,17 @@
  *  Copyright (c) 2014-2019. All rights reserved.
  */
 
-var _ = require('lodash')
+const _ = require('lodash')
+const xss = require('xss')
+
+module.exports.sanitizeFieldPlainText = function (text) {
+  const t = xss(text, {
+    whileList: {},
+    stripIgnoreTag: true,
+    stripIgnoreTagBody: ['script']
+  })
+  return t
+}
 
 module.exports.sendToSelf = function (socket, method, data) {
   socket.emit(method, data)

diff --git a/src/models/attachment.js b/src/models/attachment.js
@@ -13,6 +13,7 @@
  */
 
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 var attachmentSchema = mongoose.Schema({
   owner: { type: mongoose.Schema.Types.ObjectId, ref: 'accounts' },
@@ -23,7 +24,7 @@ var attachmentSchema = mongoose.Schema({
 })
 
 attachmentSchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
 
   return next()
 })

diff --git a/src/models/department.js b/src/models/department.js
@@ -15,6 +15,7 @@
 var _ = require('lodash')
 var async = require('async')
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 // Refs
 require('./group')
@@ -35,8 +36,8 @@ var departmentSchema = mongoose.Schema({
 departmentSchema.plugin(require('mongoose-autopopulate'))
 
 departmentSchema.pre('save', function (next) {
-  this.name = this.name.trim()
-  this.normalized = this.name.trim().toLowerCase()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
+  this.normalized = utils.sanitizeFieldPlainText(this.name.trim().toLowerCase())
 
   return next()
 })

diff --git a/src/models/group.js b/src/models/group.js
@@ -14,6 +14,7 @@
 
 var _ = require('lodash')
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'groups'
 
@@ -44,7 +45,7 @@ var groupSchema = mongoose.Schema({
 groupSchema.plugin(require('mongoose-autopopulate'))
 
 groupSchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
 
   next()
 })

diff --git a/src/models/notice.js b/src/models/notice.js
@@ -10,6 +10,7 @@
  */
 
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'notices'
 
@@ -41,7 +42,8 @@ var noticeSchema = mongoose.Schema({
 })
 
 noticeSchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
+  this.message = utils.sanitizeFieldPlainText(this.message.trim())
 
   return next()
 })

diff --git a/src/models/role.js b/src/models/role.js
@@ -15,6 +15,7 @@
 var mongoose = require('mongoose')
 var mongooseLeanVirtuals = require('mongoose-lean-virtuals')
 var _ = require('lodash')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'roles'
 
@@ -51,8 +52,8 @@ roleSchema.virtual('isAgent').get(function () {
 roleSchema.plugin(mongooseLeanVirtuals)
 
 roleSchema.pre('save', function (next) {
-  this.name = this.name.trim()
-  this.normalized = this.name.toLowerCase().trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
+  this.normalized = utils.sanitizeFieldPlainText(this.name.toLowerCase().trim())
 
   return next()
 })

diff --git a/src/models/tag.js b/src/models/tag.js
@@ -13,6 +13,7 @@
  */
 
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'tags'
 
@@ -31,8 +32,8 @@ var tagSchema = mongoose.Schema({
 })
 
 tagSchema.pre('save', function (next) {
-  this.name = this.name.trim()
-  this.normalized = this.name.toLowerCase().trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
+  this.normalized = utils.sanitizeFieldPlainText(this.name.toLowerCase().trim())
 
   return next()
 })

diff --git a/src/models/team.js b/src/models/team.js
@@ -14,6 +14,7 @@
 
 var _ = require('lodash')
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 // Refs
 require('./user')
@@ -35,11 +36,11 @@ var teamSchema = mongoose.Schema({
 teamSchema.plugin(require('mongoose-autopopulate'))
 
 teamSchema.pre('validate', function () {
-  this.normalized = this.name.trim().toLowerCase()
+  this.normalized = utils.sanitizeFieldPlainText(this.name.trim().toLowerCase())
 })
 
 teamSchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
 
   return next()
 })

diff --git a/src/models/ticket.js b/src/models/ticket.js
@@ -20,6 +20,7 @@ var moment = require('moment')
 var sanitizeHtml = require('sanitize-html')
 // var redisCache          = require('../cache/rediscache');
 var xss = require('xss')
+var utils = require('../helpers/utils')
 
 // Needed - For Population
 var groupSchema = require('./group')
@@ -120,7 +121,7 @@ var autoPopulate = function (next) {
 ticketSchema.pre('findOne', autoPopulate).pre('find', autoPopulate)
 
 ticketSchema.pre('save', function (next) {
-  this.subject = this.subject.trim()
+  this.subject = utils.sanitizeFieldPlainText(this.subject.trim())
   this.wasNew = this.isNew
 
   if (!_.isUndefined(this.uid) || this.uid) {

diff --git a/src/models/ticketpriority.js b/src/models/ticketpriority.js
@@ -16,6 +16,7 @@
 var mongoose = require('mongoose')
 var moment = require('moment')
 require('moment-duration-format')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'priorities'
 
@@ -36,7 +37,7 @@ var prioritySchema = mongoose.Schema(
 )
 
 prioritySchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
 
   return next()
 })

diff --git a/src/models/tickettype.js b/src/models/tickettype.js
@@ -14,6 +14,7 @@
 
 var _ = require('lodash')
 var mongoose = require('mongoose')
+var utils = require('../helpers/utils')
 
 var COLLECTION = 'tickettypes'
 
@@ -43,7 +44,7 @@ ticketTypeSchema.pre('find', autoPopulatePriorities)
 ticketTypeSchema.pre('findOne', autoPopulatePriorities)
 
 ticketTypeSchema.pre('save', function (next) {
-  this.name = this.name.trim()
+  this.name = utils.sanitizeFieldPlainText(this.name.trim())
 
   return next()
 })

diff --git a/src/models/user.js b/src/models/user.js
@@ -18,6 +18,7 @@ var winston = require('winston')
 var bcrypt = require('bcrypt')
 var _ = require('lodash')
 var Chance = require('chance')
+const utils = require('../helpers/utils')
 
 // Required for linkage
 require('./role')
@@ -89,10 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole)
 userSchema.pre('save', function (next) {
   var user = this
 
-  user.username = user.username.toLowerCase().trim()
-  user.email = user.email.trim()
-  if (user.fullname) user.fullname = user.fullname.trim()
-  if (user.title) user.title = user.title.trim()
+  user.username = utils.sanitizeFieldPlainText(user.username.toLowerCase().trim())
+  user.email = utils.sanitizeFieldPlainText(user.email.trim())
+
+  if (user.fullname) user.fullname = utils.sanitizeFieldPlainText(user.fullname.trim())
+  if (user.title) user.title = utils.sanitizeFieldPlainText(user.title.trim())
 
   if (!user.isModified('password')) {
     return next()