mohiit1502/Automata
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(core): Use class-validator with XSS check for survey answers (#10490)

Browse Source 
Co-authored-by: Tomi Turtiainen <10324676+tomi@users.noreply.github.com>
This commit is contained in:
Iván Ovejero
2024-08-21 16:18:16 +02:00
committed by GitHub
parent d5acde5ce4
commit 547a60642c
15 changed files with 274 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
packages/cli/src/validators/__tests__/no-xss.validator.test.ts
View File

@@ -11,6 +11,9 @@ describe('NoXss', () => {
@NoXss()
version = '';
@NoXss({ each: true })
categories: string[] = [];
}
const entity = new Entity();
@@ -71,7 +74,7 @@ describe('NoXss', () => {
}
});
describe('Miscellanous strings', () => {
describe('Miscellaneous strings', () => {
const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
for (const str of VALID_MISCELLANEOUS_STRINGS) {
@@ -81,4 +84,34 @@ describe('NoXss', () => {
});
}
});
describe('Array of strings', () => {
const VALID_STRING_ARRAYS = [
['cloud-infrastructure-orchestration', 'ci-cd', 'reporting'],
['automationGoalDevops', 'cloudComputing', 'containerization'],
];
for (const arr of VALID_STRING_ARRAYS) {
test(`should allow array: ${JSON.stringify(arr)}`, async () => {
entity.categories = arr;
await expect(validate(entity)).resolves.toBeEmptyArray();
});
}
const INVALID_STRING_ARRAYS = [
['valid-string', '<script>alert("xss")</script>', 'another-valid-string'],
['<img src="x" onerror="alert(\'XSS\')">', 'valid-string'],
];
for (const arr of INVALID_STRING_ARRAYS) {
test(`should reject array containing invalid string: ${JSON.stringify(arr)}`, async () => {
entity.categories = arr;
const errors = await validate(entity);
expect(errors).toHaveLength(1);
const [error] = errors;
expect(error.property).toEqual('categories');
expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
});
}
});
});

4
packages/cli/src/validators/no-xss.validator.ts
View File

@@ -4,7 +4,9 @@ import { registerDecorator, ValidatorConstraint } from 'class-validator';
@ValidatorConstraint({ name: 'NoXss', async: false })
class NoXssConstraint implements ValidatorConstraintInterface {
validate(value: string) {
validate(value: unknown) {
if (typeof value !== 'string') return false;
return (
value ===
xss(value, {