#2219 Moving check earlier in the chain for better effect

2025-09-17 22:39:56 +02:00 · 2021-08-03 20:10:15 +02:00
parent 68cd425950
commit 73ff972789
4 changed files with 27 additions and 5 deletions
--- a/cypress/platform/knsv.html
+++ b/cypress/platform/knsv.html
@@ -57,9 +57,19 @@ subgraph CompositeState
 end
 </div>
 <div class="mermaid" style="width: 100%; height: 20%;">
-graph TD
-  A["<img src=`https://via.placeholder.com/64/`>"]
+%%{init: { '__proto__': {'vuln': 'test'}} }%%
+%%{init: { '__proto__': {'vuln': 'test'}} }%%
+
+sequenceDiagram
+Alice->>Bob: Hi Bob
+Bob->>Alice: Hi Alice
 </div>
+    <div class="mermaid">
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
 <div class="mermaid2" style="width: 100%; height: 20%;">
 flowchart TD
  Link --> b
@@ -121,7 +131,7 @@ YourState
        logLevel:0,
        fontSize: 18,
        curve: 'cardinal',
-        securityLevel: 'loose',
+        securityLevel: 'strict',
        // themeVariables: {relationLabelColor: 'red'}
      });
      function callback(){alert('It worked');}
--- a/cypress/platform/xss2.html
+++ b/cypress/platform/xss2.html
@@ -38,6 +38,12 @@
      graph LR
          A --> B
    </div>
+    <div class="mermaid">
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
    <script src="./mermaid.js"></script>
    <script>
      mermaid.initialize({
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -65,7 +65,6 @@ const sanitizeMore = (text, config) => {

 export const sanitizeText = (text, config) => {
  const txt = sanitizeMore(DOMPurify.sanitize(text), config);
-
  return txt;
 };

--- a/src/utils.js
+++ b/src/utils.js
@@ -71,6 +71,14 @@ export const detectInit = function (text, cnf) {
  let results = {};
  if (Array.isArray(inits)) {
    let args = inits.map((init) => init.args);
+    Object.keys(args).forEach((argKey) => {
+      Object.keys(args[argKey]).forEach((key) => {
+        if (key.indexOf('__') === 0) {
+          log.debug('sanitize deleting prototype option', args[key]);
+          delete args[argKey][key];
+        }
+      });
+    });
    results = assignWithDepth(results, [...args]);
  } else {
    results = inits.args;
@@ -173,7 +181,6 @@ export const detectDirective = function (text, type = null) {
 */
 export const detectType = function (text, cnf) {
  text = text.replace(directive, '').replace(anyComment, '\n');
-  log.debug('Detecting diagram type based on the text ' + text);
  if (text.match(/^\s*sequenceDiagram/)) {
    return 'sequence';
  }