State diagram sanitization

cypress/integration/other/xss.spec.js

@@ -68,5 +68,10 @@ describe('XSS', () => {
     cy.wait(1000);
     cy.get('#the-malware').should('not.exist');
   })
+  it('should not allow maniplulating antiscript to run javascript using onerror in state diagrams', () => {
+    cy.visit('http://localhost:9000/xss7.html');
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
+  })
 
 })

cypress/platform/xss7.html

@@ -0,0 +1,99 @@
+<html>
+  <head>
+    <link
+      href="https://fonts.googleapis.com/css?family=Montserrat&display=swap"
+      rel="stylesheet"
+    />
+    <link href="https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
+    <link href="https://fonts.googleapis.com/css?family=Noto+Sans+SC&display=swap" rel="stylesheet">
+    <style>
+      body {
+        /* background: rgb(221, 208, 208); */
+        /* background:#333; */
+        font-family: 'Arial';
+        /* font-size: 18px !important; */
+        }
+      h1 { color: grey;}
+      .mermaid2 {
+        display: none;
+      }
+      .mermaid svg {
+        /* font-size: 18px !important; */
+      }
+      .malware {
+        position: fixed;
+        bottom:0;
+        left:0;
+        right:0;
+        height: 150px;
+        background: red;
+        color: black;
+        display: flex;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        font-family: monospace;
+        font-size: 72px;
+      }
+    </style>
+  </head>
+  <body>
+    <div>Security check</div>
+    <div class="flex">
+      <div id="diagram" class="mermaid"></div>
+      <div id="res" class=""></div>
+  <script src="./mermaid.js"></script>
+    <script>
+      mermaid.parseError = function (err, hash) {
+          // console.error('Mermaid error: ', err);
+        };
+      mermaid.initialize({
+        theme: 'forest',
+        arrowMarkerAbsolute: true,
+        // themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: red;}',
+        logLevel: 0,
+        state: {
+          defaultRenderer: 'dagre-d3',
+        },
+        flowchart: {
+          // defaultRenderer: 'dagre-wrapper',
+          nodeSpacing: 10, curve: 'cardinal', htmlLabels: true
+        },
+        htmlLabels: true,
+        // gantt: { axisFormat: '%m/%d/%Y' },
+        sequence: { actorFontFamily: 'courier',actorMargin: 50, showSequenceNumbers: false },
+        // sequenceDiagram: { actorMargin: 300 } // deprecated
+        // fontFamily: '"times", sans-serif',
+        // fontFamily: 'courier',
+        fontSize: 18,
+        curve: 'basis',
+        startOnLoad: false,
+        secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
+        securityLevel: 'loose',
+        // themeVariables: {relationLabelColor: 'red'}
+      });
+      function callback(){alert('It worked');}
+      function xssAttack(){
+        const div = document.createElement('div')
+        div.id = 'the-malware'
+        div.className = 'malware'
+        div.innerHTML = 'XSS Succeeded'
+        document.getElementsByTagName('body')[0].appendChild(div);
+        throw new Error('XSS Succeded');
+      }
+
+
+      var diagram = "stateDiagram-v2\n";
+     diagram += "<img/src='1'/onerror=xssAttack()> --> B";
+  // diagram += "script\u003aalert\u0028document.domain\u0029\` src=x>\"\);\n";
+  console.log(diagram);
+  // document.querySelector('#diagram').innerHTML = diagram;
+  mermaid.render('diagram', diagram, (res) => {
+    console.log(res);
+    document.querySelector('#res').innerHTML = res;
+  });
+    </script>
+  </body>
+</html>
+

src/diagrams/state/stateDb.js

@@ -1,10 +1,10 @@
 import { log } from '../../logger';
 import { generateId } from '../../utils';
 import mermaidAPI from '../../mermaidAPI';
+import common from '../common/common';
 import * as configApi from '../../config';
 
 const clone = (o) => JSON.parse(JSON.stringify(o));
-
 let rootDoc = [];
 
 export const parseDirective = function (statement, context, type) {
@@ -148,7 +148,7 @@ export const addState = function (id, type, doc, descr, note) {
     }
   }
 
-  if (note) currentDocument.states[id].note = note;
+  if (note) currentDocument.states[id].note = common.sanitizeText(note, configApi.getConfig());
 };
 
 export const clear = function () {
@@ -195,7 +195,7 @@ export const addRelation = function (_id1, _id2, title) {
   }
   addState(id1, type1);
   addState(id2, type2);
-  currentDocument.relations.push({ id1, id2, title: title });
+  currentDocument.relations.push({ id1, id2, title: common.sanitizeText(title, configApi.getConfig()) });
 };
 
 const addDescription = function (id, _descr) {
@@ -204,8 +204,7 @@ const addDescription = function (id, _descr) {
   if (descr[0] === ':') {
     descr = descr.substr(1).trim();
   }
-
-  theState.descriptions.push(descr);
+  theState.descriptions.push(common.sanitizeText(descr, config));
 };
 
 export const cleanupLabel = function (label) {

src/diagrams/state/stateRenderer-v2.js

@@ -7,6 +7,7 @@ import { getConfig } from '../../config';
 import { render } from '../../dagre-wrapper/index.js';
 import { log } from '../../logger';
 import { configureSvgSize } from '../../utils';
+import common from '../common/common';
 
 const conf = {};
 export const setConf = function (cnf) {
@@ -15,6 +16,7 @@ export const setConf = function (cnf) {
     conf[keys[i]] = cnf[keys[i]];
   }
 };
+let mainConfig = getConfig();
 
 let nodeDb = {};
 
@@ -51,7 +53,7 @@ const setupNode = (g, parent, node, altFlag) => {
       nodeDb[node.id] = {
         id: node.id,
         shape,
-        description: node.id,
+        description: common.sanitizeText(node.id, getConfig()),
         classes: 'statediagram-state',
       };
     }