From 4f48b3bb86ba66a0085803591065bb6437e864ec Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Thu, 31 Mar 2022 18:04:46 -0400 Subject: [PATCH] chore(security): fix issue where html was allowed in some input fields --- src/helpers/utils/index.js | 12 +++++++++++- src/models/attachment.js | 3 ++- src/models/department.js | 5 +++-- src/models/group.js | 3 ++- src/models/notice.js | 4 +++- src/models/role.js | 5 +++-- src/models/tag.js | 5 +++-- src/models/team.js | 5 +++-- src/models/ticket.js | 3 ++- src/models/ticketpriority.js | 3 ++- src/models/tickettype.js | 3 ++- src/models/user.js | 10 ++++++---- 12 files changed, 42 insertions(+), 19 deletions(-) diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js index 1c7231257..7fdd33468 100644 --- a/src/helpers/utils/index.js +++ b/src/helpers/utils/index.js @@ -12,7 +12,17 @@ * Copyright (c) 2014-2019. All rights reserved. */ -var _ = require('lodash') +const _ = require('lodash') +const xss = require('xss') + +module.exports.sanitizeFieldPlainText = function (text) { + const t = xss(text, { + whileList: {}, + stripIgnoreTag: true, + stripIgnoreTagBody: ['script'] + }) + return t +} module.exports.sendToSelf = function (socket, method, data) { socket.emit(method, data) diff --git a/src/models/attachment.js b/src/models/attachment.js index bf0810394..cd30bca42 100644 --- a/src/models/attachment.js +++ b/src/models/attachment.js @@ -13,6 +13,7 @@ */ var mongoose = require('mongoose') +var utils = require('../helpers/utils') var attachmentSchema = mongoose.Schema({ owner: { type: mongoose.Schema.Types.ObjectId, ref: 'accounts' }, @@ -23,7 +24,7 @@ var attachmentSchema = mongoose.Schema({ }) attachmentSchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) return next() }) diff --git a/src/models/department.js b/src/models/department.js index f7d0118b8..1424208bf 100644 --- a/src/models/department.js +++ b/src/models/department.js @@ -15,6 +15,7 @@ var _ = require('lodash') var async = require('async') var mongoose = require('mongoose') +var utils = require('../helpers/utils') // Refs require('./group') @@ -35,8 +36,8 @@ var departmentSchema = mongoose.Schema({ departmentSchema.plugin(require('mongoose-autopopulate')) departmentSchema.pre('save', function (next) { - this.name = this.name.trim() - this.normalized = this.name.trim().toLowerCase() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) + this.normalized = utils.sanitizeFieldPlainText(this.name.trim().toLowerCase()) return next() }) diff --git a/src/models/group.js b/src/models/group.js index 53414b822..8207b1371 100644 --- a/src/models/group.js +++ b/src/models/group.js @@ -14,6 +14,7 @@ var _ = require('lodash') var mongoose = require('mongoose') +var utils = require('../helpers/utils') var COLLECTION = 'groups' @@ -44,7 +45,7 @@ var groupSchema = mongoose.Schema({ groupSchema.plugin(require('mongoose-autopopulate')) groupSchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) next() }) diff --git a/src/models/notice.js b/src/models/notice.js index 3fb011f6f..590fb361e 100644 --- a/src/models/notice.js +++ b/src/models/notice.js @@ -10,6 +10,7 @@ */ var mongoose = require('mongoose') +var utils = require('../helpers/utils') var COLLECTION = 'notices' @@ -41,7 +42,8 @@ var noticeSchema = mongoose.Schema({ }) noticeSchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) + this.message = utils.sanitizeFieldPlainText(this.message.trim()) return next() }) diff --git a/src/models/role.js b/src/models/role.js index e14c9d15d..5db238167 100644 --- a/src/models/role.js +++ b/src/models/role.js @@ -15,6 +15,7 @@ var mongoose = require('mongoose') var mongooseLeanVirtuals = require('mongoose-lean-virtuals') var _ = require('lodash') +var utils = require('../helpers/utils') var COLLECTION = 'roles' @@ -51,8 +52,8 @@ roleSchema.virtual('isAgent').get(function () { roleSchema.plugin(mongooseLeanVirtuals) roleSchema.pre('save', function (next) { - this.name = this.name.trim() - this.normalized = this.name.toLowerCase().trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) + this.normalized = utils.sanitizeFieldPlainText(this.name.toLowerCase().trim()) return next() }) diff --git a/src/models/tag.js b/src/models/tag.js index 4f9c22f4f..f4c415cd3 100644 --- a/src/models/tag.js +++ b/src/models/tag.js @@ -13,6 +13,7 @@ */ var mongoose = require('mongoose') +var utils = require('../helpers/utils') var COLLECTION = 'tags' @@ -31,8 +32,8 @@ var tagSchema = mongoose.Schema({ }) tagSchema.pre('save', function (next) { - this.name = this.name.trim() - this.normalized = this.name.toLowerCase().trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) + this.normalized = utils.sanitizeFieldPlainText(this.name.toLowerCase().trim()) return next() }) diff --git a/src/models/team.js b/src/models/team.js index 511a1c344..8c56349c3 100644 --- a/src/models/team.js +++ b/src/models/team.js @@ -14,6 +14,7 @@ var _ = require('lodash') var mongoose = require('mongoose') +var utils = require('../helpers/utils') // Refs require('./user') @@ -35,11 +36,11 @@ var teamSchema = mongoose.Schema({ teamSchema.plugin(require('mongoose-autopopulate')) teamSchema.pre('validate', function () { - this.normalized = this.name.trim().toLowerCase() + this.normalized = utils.sanitizeFieldPlainText(this.name.trim().toLowerCase()) }) teamSchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) return next() }) diff --git a/src/models/ticket.js b/src/models/ticket.js index 97a84e721..9f2360381 100644 --- a/src/models/ticket.js +++ b/src/models/ticket.js @@ -20,6 +20,7 @@ var moment = require('moment') var sanitizeHtml = require('sanitize-html') // var redisCache = require('../cache/rediscache'); var xss = require('xss') +var utils = require('../helpers/utils') // Needed - For Population var groupSchema = require('./group') @@ -120,7 +121,7 @@ var autoPopulate = function (next) { ticketSchema.pre('findOne', autoPopulate).pre('find', autoPopulate) ticketSchema.pre('save', function (next) { - this.subject = this.subject.trim() + this.subject = utils.sanitizeFieldPlainText(this.subject.trim()) this.wasNew = this.isNew if (!_.isUndefined(this.uid) || this.uid) { diff --git a/src/models/ticketpriority.js b/src/models/ticketpriority.js index fdea395dd..a05955f26 100644 --- a/src/models/ticketpriority.js +++ b/src/models/ticketpriority.js @@ -16,6 +16,7 @@ var mongoose = require('mongoose') var moment = require('moment') require('moment-duration-format') +var utils = require('../helpers/utils') var COLLECTION = 'priorities' @@ -36,7 +37,7 @@ var prioritySchema = mongoose.Schema( ) prioritySchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) return next() }) diff --git a/src/models/tickettype.js b/src/models/tickettype.js index a01584597..c1925ff1c 100644 --- a/src/models/tickettype.js +++ b/src/models/tickettype.js @@ -14,6 +14,7 @@ var _ = require('lodash') var mongoose = require('mongoose') +var utils = require('../helpers/utils') var COLLECTION = 'tickettypes' @@ -43,7 +44,7 @@ ticketTypeSchema.pre('find', autoPopulatePriorities) ticketTypeSchema.pre('findOne', autoPopulatePriorities) ticketTypeSchema.pre('save', function (next) { - this.name = this.name.trim() + this.name = utils.sanitizeFieldPlainText(this.name.trim()) return next() }) diff --git a/src/models/user.js b/src/models/user.js index 1a531de26..894e681a1 100644 --- a/src/models/user.js +++ b/src/models/user.js @@ -18,6 +18,7 @@ var winston = require('winston') var bcrypt = require('bcrypt') var _ = require('lodash') var Chance = require('chance') +const utils = require('../helpers/utils') // Required for linkage require('./role') @@ -89,10 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole) userSchema.pre('save', function (next) { var user = this - user.username = user.username.toLowerCase().trim() - user.email = user.email.trim() - if (user.fullname) user.fullname = user.fullname.trim() - if (user.title) user.title = user.title.trim() + user.username = utils.sanitizeFieldPlainText(user.username.toLowerCase().trim()) + user.email = utils.sanitizeFieldPlainText(user.email.trim()) + + if (user.fullname) user.fullname = utils.sanitizeFieldPlainText(user.fullname.trim()) + if (user.title) user.title = utils.sanitizeFieldPlainText(user.title.trim()) if (!user.isModified('password')) { return next()