From c0831ecef64ca933bdae183bf0eae8bf5c4ea5c3 Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Thu, 5 Aug 2021 17:35:28 +0200
Subject: [PATCH] Using Whitelist in all places

---
 cypress/platform/knsv.html |  5 ++-
 src/mermaidAPI.js          |  8 +++--
 src/utils.js               | 68 +++++++++++++++++++++++++-------------
 3 files changed, 53 insertions(+), 28 deletions(-)

diff --git a/cypress/platform/knsv.html b/cypress/platform/knsv.html
index 510fa9f14..474132392 100644
--- a/cypress/platform/knsv.html
+++ b/cypress/platform/knsv.html
@@ -57,13 +57,12 @@ subgraph CompositeState
 end
 </div>
 <div class="mermaid" style="width: 100%; height: 20%;">
-%%{init: { 'prototype': {'__proto__': {'vuln': 'test'}}} }%%
-%%{init: { 'prototype': {'__proto__': {'vuln': 'test'}}} }%%
+%%{init: { "apa":"b", "theme":"forest"}}%%
 sequenceDiagram
 Alice->>Bob: Hi Bob
 Bob->>Alice: Hi Alice
 </div>
-    <div class="mermaid">
+    <div class="mermaid2">
       %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
       %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
       graph LR
diff --git a/src/mermaidAPI.js b/src/mermaidAPI.js
index 8b7f93797..c31a33dd7 100755
--- a/src/mermaidAPI.js
+++ b/src/mermaidAPI.js
@@ -54,6 +54,8 @@ import journeyDb from './diagrams/user-journey/journeyDb';
 import journeyRenderer from './diagrams/user-journey/journeyRenderer';
 import journeyParser from './diagrams/user-journey/parser/journey';
 import errorRenderer from './errorRenderer';
+import { configKeys } from './defaultConfig';
+
 // import * as configApi from './config';
 // // , {
 // //   setConfig,
@@ -66,7 +68,7 @@ import errorRenderer from './errorRenderer';
 import { log, setLogLevel } from './logger';
 import getStyles from './styles';
 import theme from './themes';
-import utils, { assignWithDepth } from './utils';
+import utils, { directiveSanitizer, assignWithDepth } from './utils';
 
 function parse(text) {
   const cnf = configApi.getConfig();
@@ -537,7 +539,9 @@ const handleDirective = function (p, directive, type) {
           delete directive.args[prop];
         }
       });
-
+      console.log('sanitize in handleDirective', directive.args);
+      directiveSanitizer(directive.args);
+      console.log('sanitize in handleDirective (done)', directive.args);
       reinitialize(directive.args);
       configApi.addDirective(directive.args);
       break;
diff --git a/src/utils.js b/src/utils.js
index 282aeb808..bf43246a8 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -70,33 +70,14 @@ const anyComment = /\s*%%.*\n/gm;
 export const detectInit = function (text, cnf) {
   let inits = detectDirective(text, /(?:init\b)|(?:initialize\b)/);
   let results = {};
+
   if (Array.isArray(inits)) {
     let args = inits.map((init) => init.args);
-    Object.keys(args).forEach((argKey) => {
-      Object.keys(args[argKey]).forEach((key) => {
-        if (key.indexOf('__') === 0) {
-          log.debug('sanitize deleting prototype option', args[key]);
-          delete args[argKey][key];
-        }
+    console.log('sanitizer (args)', args);
+    directiveSanitizer(args);
 
-        if (key.indexOf('proto') >= 0) {
-          log.debug('sanitize deleting prototype option', args[key]);
-          delete args[argKey][key];
-        }
-
-        if (key.indexOf('constr') >= 0) {
-          log.debug('sanitize deleting prototype option', args[key]);
-          delete args[argKey][key];
-        }
-        if (configKeys.indexOf(key) < 0) {
-          log.debug('sanitize deleting option', args[argKey][key]);
-          delete args[argKey][key];
-        }
-      });
-    });
-    // Object.freeze(Object.prototype);
-    // Object.freeze(Object);
     results = assignWithDepth(results, [...args]);
+    console.log('sanitize results', results);
   } else {
     results = inits.args;
   }
@@ -112,6 +93,8 @@ export const detectInit = function (text, cnf) {
       }
     });
   }
+
+  // Todo: refactor this, these results are never used
   return results;
 };
 
@@ -838,6 +821,44 @@ export const entityDecode = function (html) {
   return unescape(decoder.textContent);
 };
 
+export const directiveSanitizer = (args) => {
+  console.log('directiveSanitizer called with', args);
+  if (typeof args === 'object') {
+    // check for array
+    if (args.length) {
+      args.forEach((arg) => directiveSanitizer(arg));
+    } else {
+      // This is an object
+      Object.keys(args).forEach((key) => {
+        log.debug('Checking key', key);
+        if (key.indexOf('__') === 0) {
+          log.debug('sanitize deleting __ option', key);
+          delete args[key];
+        }
+
+        if (key.indexOf('proto') >= 0) {
+          log.debug('sanitize deleting proto option', key);
+          delete args[key];
+        }
+
+        if (key.indexOf('constr') >= 0) {
+          log.debug('sanitize deleting constr option', key);
+          delete args[key];
+        }
+        if (configKeys.indexOf(key) < 0) {
+          log.debug('sanitize deleting option', key);
+          delete args[key];
+        } else {
+          if (typeof args[key] === 'object') {
+            log.debug('sanitize deleting object', key);
+            directiveSanitizer(args[key]);
+          }
+        }
+      });
+    }
+  }
+};
+
 export default {
   assignWithDepth,
   wrapLabel,
@@ -862,4 +883,5 @@ export default {
   runFunc,
   entityDecode,
   initIdGeneratior,
+  directiveSanitizer,
 };