marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-22 08:50:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for XSS vulnerability in url sanitization

Browse Source
This commit is contained in:
Knut Sveidqvist
2021-12-28 16:59:22 +01:00
parent 6f800be33b
commit f4c335ad2f
6 changed files with 249 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/diagrams/common/common.spec.js
View File

@@ -1,4 +1,4 @@
import { removeScript, removeEscapes } from './common';
import { sanitizeText, removeScript, removeEscapes } from './common';
describe('when securityLevel is antiscript, all script must be removed', function () {
it('should remove all script block, script inline.', function () {
@@ -69,3 +69,15 @@ describe('remove escape code in text', function () {
expect(result).toEqual('script:');
});
});
describe('Sanitize text', function () {
it('should remove script tag', function () {
const maliciousStr = 'javajavascript:script:alert(1)';
const result = sanitizeText(maliciousStr, {
securityLevel: 'strict',
flowchart: { htmlLabels: true },
});
console.log('result', result);
expect(result).not.toContain('javascript:alert(1)');
});
});

14
src/diagrams/sequence/svgDraw.js
View File

@@ -1,5 +1,6 @@
import common from '../common/common';
import { addFunction } from '../../interactionDb';
import { sanitizeUrl } from '@braintree/sanitize-url';
export const drawRect = function (elem, rectData) {
const rectElem = elem.append('rect');
@@ -19,12 +20,12 @@ export const drawRect = function (elem, rectData) {
return rectElem;
};
const sanitizeUrl = function (s) {
return s
.replace(/&/g, '&')
.replace(/</g, '&lt;')
.replace(/javascript:/g, '');
};
// const sanitizeUrl = function (s) {
// return s
// .replace(/&/g, '&amp;')
// .replace(/</g, '&lt;')
// .replace(/javascript:/g, '');
// };
const addPopupInteraction = (id, actorCnt) => {
addFunction(() => {
@@ -1055,4 +1056,5 @@ export default {
popupMenu,
popdownMenu,
fixLifeLineHeights,
sanitizeUrl,
};

16
src/diagrams/sequence/svgDraw.spec.js
View File

@@ -1,4 +1,4 @@
const svgDraw = require('./svgDraw');
const svgDraw = require('./svgDraw').default;
const { MockD3 } = require('d3');
describe('svgDraw', function () {
@@ -124,4 +124,18 @@ describe('svgDraw', function () {
expect(rect.lower).toHaveBeenCalled();
});
});
describe('sanitizeUrl', function () {
it('it should sanitize malicious urls', function () {
const maliciousStr = 'javascript:script:alert(1)';
const result = svgDraw.sanitizeUrl(maliciousStr);
console.log('result', result);
expect(result).not.toContain('javascript:alert(1)');
});
it('it should not sanitize non dangerous urls', function () {
const maliciousStr = 'javajavascript:script:alert(1)';
const result = svgDraw.sanitizeUrl(maliciousStr);
console.log('result', result);
expect(result).not.toContain('javascript:alert(1)');
});
});
});