Merge pull request #283 from specklesystems/dim/sanitize-fix

Dim/sanitize fix

packages/frontend/src/components/dialogs/ServerInviteDialog.vue

@@ -20,7 +20,11 @@
               :rules="validation.emailRules"
               label="email"
             ></v-text-field>
-            <v-text-field v-model="message" label="message"></v-text-field>
+            <v-text-field
+              v-model="message"
+              :rules="validation.messageRules"
+              label="message"
+            ></v-text-field>
             <v-card-actions>
               <v-btn block color="primary" type="submit">Send invite</v-btn>
             </v-card-actions>
@@ -32,6 +36,7 @@
 </template>
 <script>
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'
 
 export default {
   name: 'ServerInviteDialog',
@@ -48,6 +53,17 @@ export default {
         emailRules: [
           (v) => !!v || 'E-mail is required',
           (v) => /.+@.+\..+/.test(v) || 'E-mail must be valid'
+        ],
+        messageRules: [
+          (v) => {
+            if (v.length >= 1024) return 'Message too long!'
+            return true
+          },
+          (v) => {
+            let pure = DOMPurify.sanitize(v)
+            if (pure !== v) return 'No crazy hacks please.'
+            else return true
+          }
         ]
       }
     }

packages/frontend/src/components/dialogs/StreamInviteDialog.vue

@@ -21,7 +21,11 @@
               :rules="validation.emailRules"
               label="email"
             ></v-text-field>
-            <v-text-field v-model="message" label="message"></v-text-field>
+            <v-text-field
+              v-model="message"
+              :rules="validation.messageRules"
+              label="message"
+            ></v-text-field>
             <v-card-actions>
               <v-btn block color="primary" type="submit">Send invite</v-btn>
             </v-card-actions>
@@ -33,6 +37,7 @@
 </template>
 <script>
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'
 
 export default {
   name: 'StreamInviteDialog',
@@ -55,6 +60,17 @@ export default {
         emailRules: [
           (v) => !!v || 'E-mail is required',
           (v) => /.+@.+\..+/.test(v) || 'E-mail must be valid'
+        ],
+        messageRules: [
+          (v) => {
+            if (v.length >= 1024) return 'Message too long!'
+            return true
+          },
+          (v) => {
+            let pure = DOMPurify.sanitize(v)
+            if (pure !== v) return 'No crazy hacks please.'
+            else return true
+          }
         ]
       }
     }

packages/server/modules/serverinvites/services/index.js

@@ -2,6 +2,7 @@
 const appRoot = require( 'app-root-path' )
 const crs = require( 'crypto-random-string' )
 const knex = require( `${appRoot}/db/knex` )
+const sanitizeHtml = require( 'sanitize-html' )
 
 const { getUserByEmail, getUserById } = require( `${appRoot}/modules/core/services/users` )
 
@@ -19,6 +20,15 @@ module.exports = {
 
     if ( existingUser ) throw new Error( 'This email is already associated with an account on this server!' )
 
+    if ( message ) {
+      
+      if ( message.length >= 1024 ) {
+        throw new Error( 'Personal message too long.' )
+      }
+
+      message = module.exports.sanitizeMessage( message )
+    }
+
     // check if email is already invited
     let existingInvite = await module.exports.getInviteByEmail( { email } )
     if ( existingInvite ) throw new Error( 'Already invited!' )
@@ -126,5 +136,11 @@ This email was sent from ${serverInfo.name} at ${process.env.CANONICAL_URL}, dep
 
     await Invites().where( { id: id } ).update( { used: true } )
     return true
+  },
+
+  async sanitizeMessage( message ) {
+    return sanitizeHtml( message, {
+      allowedTags: [ 'b', 'i', 'em', 'strong' ],
+    } )
   }
 }

packages/server/modules/serverinvites/tests/serverInvites.spec.js

@@ -4,6 +4,7 @@ const chai = require( 'chai' )
 const request = require( 'supertest' )
 const assert = require( 'assert' )
 const appRoot = require( 'app-root-path' )
+const { async } = require( 'crypto-random-string' )
 const { init, startHttp } = require( `${appRoot}/app` )
 
 const expect = chai.expect
@@ -11,9 +12,8 @@ const expect = chai.expect
 const knex = require( `${appRoot}/db/knex` )
 const { createUser } = require( `${appRoot}/modules/core/services/users` )
 
-const { createAndSendInvite, getInviteById, getInviteByEmail, validateInvite, useInvite } = require( `${appRoot}/modules/serverinvites/services` )
+const { createAndSendInvite, getInviteById, getInviteByEmail, validateInvite, useInvite, sanitizeMessage } = require( `${appRoot}/modules/serverinvites/services` )
 const { createStream, getStream, getStreamUsers, getUserStreams } = require( `${appRoot}/modules/core/services/streams` )
-const { createPersonalAccessToken } = require( `${appRoot}/modules/core/services/tokens` )
 
 const serverAddress = `http://localhost:${process.env.PORT || 3000}`
 
@@ -55,30 +55,51 @@ describe( 'Server Invites @server-invites', ( ) => {
 
       try {
         await createAndSendInvite( { email:'cat@speckle.systems', inviterId: actor.id, message: 'Hey, join!' } )
-        assert.fail()
       } catch ( e ) {
-      // pass
+        return
       }
+      assert.fail( 'should not allow multiple invites for the same email' )
     } )
 
     it( 'should not allow self invites', async() => {
 
       try {
         await createAndSendInvite( { email: 'didimitrie-100@gmail.com', inviterId: actor.id } )
-        assert.fail()
       } catch ( e ) {
-      // pass
+        return
       }
+      assert.fail( 'should not allow self invites' )
     } )
 
     it( 'should not allow invites from no user', async() => {
 
       try {
         await createAndSendInvite( { email: 'didimitrie233-100@gmail.com', inviterId: 'fake' } )
-        assert.fail()
       } catch ( e ) {
-      // pass
+        return
       }
+      assert.fail( 'should not allow invites from no user' )
+    } )
+
+    it( 'should not allow invites with a too long message', async() => {
+      
+      try {
+        let inviteId = await createAndSendInvite( {
+          email: '123456@gmail.com',
+          inviterId: actor.id,
+          message: longInviteMessage
+        } )
+      } catch ( e ){
+        return
+      }
+      
+      assert.fail( 'created invite with too long message' )
+    } )
+
+    it( 'should sanitize invite messages', async() => {
+      let clean = await sanitizeMessage( 'Click on my <b><a href="https://spam.com">spam link please</a></b>!' )
+      const includesLink = clean.includes( '<a' )
+      expect( includesLink ).to.be.false
     } )
 
     it( 'should get an invite by id', async() => {
@@ -220,3 +241,6 @@ function sendRequest( auth, obj, address = serverAddress ) {
   return chai.request( address ).post( '/graphql' ).set( 'Authorization', auth ).send( obj )
 
 }
+
+const longInviteMessage =
+  'Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur? At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus, omnis voluptas assumenda est, omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat.'

packages/server/package-lock.json

@@ -4498,6 +4498,11 @@
 			"integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=",
 			"dev": true
 		},
+		"deepmerge": {
+			"version": "4.2.2",
+			"resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.2.2.tgz",
+			"integrity": "sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg=="
+		},
 		"default-require-extensions": {
 			"version": "3.0.0",
 			"resolved": "https://registry.npmjs.org/default-require-extensions/-/default-require-extensions-3.0.0.tgz",
@@ -4666,6 +4671,39 @@
 				"esutils": "^2.0.2"
 			}
 		},
+		"dom-serializer": {
+			"version": "1.3.2",
+			"resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-1.3.2.tgz",
+			"integrity": "sha512-5c54Bk5Dw4qAxNOI1pFEizPSjVsx5+bpJKmL2kPn8JhBUq2q09tTCa3mjijun2NfK78NMouDYNMBkOrPZiS+ig==",
+			"requires": {
+				"domelementtype": "^2.0.1",
+				"domhandler": "^4.2.0",
+				"entities": "^2.0.0"
+			}
+		},
+		"domelementtype": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.2.0.tgz",
+			"integrity": "sha512-DtBMo82pv1dFtUmHyr48beiuq792Sxohr+8Hm9zoxklYPfa6n0Z3Byjj2IV7bmr2IyqClnqEQhfgHJJ5QF0R5A=="
+		},
+		"domhandler": {
+			"version": "4.2.0",
+			"resolved": "https://registry.npmjs.org/domhandler/-/domhandler-4.2.0.tgz",
+			"integrity": "sha512-zk7sgt970kzPks2Bf+dwT/PLzghLnsivb9CcxkvR8Mzr66Olr0Ofd8neSbglHJHaHa2MadfoSdNlKYAaafmWfA==",
+			"requires": {
+				"domelementtype": "^2.2.0"
+			}
+		},
+		"domutils": {
+			"version": "2.7.0",
+			"resolved": "https://registry.npmjs.org/domutils/-/domutils-2.7.0.tgz",
+			"integrity": "sha512-8eaHa17IwJUPAiB+SoTYBo5mCdeMgdcAoXJ59m6DT1vw+5iLS3gNoqYaRowaBKtGVrOF1Jz4yDTgYKLK2kvfJg==",
+			"requires": {
+				"dom-serializer": "^1.0.1",
+				"domelementtype": "^2.2.0",
+				"domhandler": "^4.2.0"
+			}
+		},
 		"dot-prop": {
 			"version": "4.2.1",
 			"resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.1.tgz",
@@ -4798,6 +4836,11 @@
 				"ansi-colors": "^4.1.1"
 			}
 		},
+		"entities": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/entities/-/entities-2.2.0.tgz",
+			"integrity": "sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A=="
+		},
 		"env-paths": {
 			"version": "2.2.0",
 			"resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.0.tgz",
@@ -6794,6 +6837,17 @@
 			"integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
 			"dev": true
 		},
+		"htmlparser2": {
+			"version": "6.1.0",
+			"resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-6.1.0.tgz",
+			"integrity": "sha512-gyyPk6rgonLFEDGoeRgQNaEUvdJ4ktTmmUh/h2t7s+M8oPpIPxgNACWa+6ESR57kXstwqPiCut0V8NRpcwgU7A==",
+			"requires": {
+				"domelementtype": "^2.0.1",
+				"domhandler": "^4.0.0",
+				"domutils": "^2.5.2",
+				"entities": "^2.0.0"
+			}
+		},
 		"http-cache-semantics": {
 			"version": "3.8.1",
 			"resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz",
@@ -7834,6 +7888,11 @@
 			"resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.3.tgz",
 			"integrity": "sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw=="
 		},
+		"klona": {
+			"version": "2.0.4",
+			"resolved": "https://registry.npmjs.org/klona/-/klona-2.0.4.tgz",
+			"integrity": "sha512-ZRbnvdg/NxqzC7L9Uyqzf4psi1OM4Cuc+sJAkQPjO6XkQIJTNbfK2Rsmbw8fx1p2mkZdp2FZYo2+LwXYY/uwIA=="
+		},
 		"knex": {
 			"version": "0.21.15",
 			"resolved": "https://registry.npmjs.org/knex/-/knex-0.21.15.tgz",
@@ -8830,6 +8889,11 @@
 			"integrity": "sha512-M2ufzIiINKCuDfBSAUr1vWQ+vuVcA9kqx8JJUsbQi6yf1uGRyb7HfpdfUr5qLXf3B/t8dPvcjhKMmlfnP47EzQ==",
 			"optional": true
 		},
+		"nanoid": {
+			"version": "3.1.23",
+			"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.1.23.tgz",
+			"integrity": "sha512-FiB0kzdP0FFVGDKlRLEQ1BgDzU87dy5NnzjeW9YZNt+/c3+q82EQDUwniSAUxp/F0gFNI1ZhKU1FqYsMuqZVnw=="
+		},
 		"nanomatch": {
 			"version": "1.2.13",
 			"resolved": "https://registry.npmjs.org/nanomatch/-/nanomatch-1.2.13.tgz",
@@ -9776,6 +9840,11 @@
 				"protocols": "^1.4.0"
 			}
 		},
+		"parse-srcset": {
+			"version": "1.0.2",
+			"resolved": "https://registry.npmjs.org/parse-srcset/-/parse-srcset-1.0.2.tgz",
+			"integrity": "sha1-8r0iH2zJcKk42IVWq8WJyqqiveE="
+		},
 		"parse-url": {
 			"version": "5.0.2",
 			"resolved": "https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz",
@@ -10073,6 +10142,23 @@
 			"resolved": "https://registry.npmjs.org/posix-character-classes/-/posix-character-classes-0.1.1.tgz",
 			"integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs="
 		},
+		"postcss": {
+			"version": "8.3.0",
+			"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.0.tgz",
+			"integrity": "sha512-+ogXpdAjWGa+fdYY5BQ96V/6tAo+TdSSIMP5huJBIygdWwKtVoB5JWZ7yUd4xZ8r+8Kvvx4nyg/PQ071H4UtcQ==",
+			"requires": {
+				"colorette": "^1.2.2",
+				"nanoid": "^3.1.23",
+				"source-map-js": "^0.6.2"
+			},
+			"dependencies": {
+				"colorette": {
+					"version": "1.2.2",
+					"resolved": "https://registry.npmjs.org/colorette/-/colorette-1.2.2.tgz",
+					"integrity": "sha512-MKGMzyfeuutC/ZJ1cba9NqcNpfeqMUcYmyF1ZFY6/Cn7CNSAKx6a+s48sqLqyAiZuaP2TcqMhoo+dlwFnVxT9w=="
+				}
+			}
+		},
 		"postgres-array": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
@@ -10863,6 +10949,32 @@
 			"resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
 			"integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
 		},
+		"sanitize-html": {
+			"version": "2.4.0",
+			"resolved": "https://registry.npmjs.org/sanitize-html/-/sanitize-html-2.4.0.tgz",
+			"integrity": "sha512-Y1OgkUiTPMqwZNRLPERSEi39iOebn2XJLbeiGOBhaJD/yLqtLGu6GE5w7evx177LeGgSE+4p4e107LMiydOf6A==",
+			"requires": {
+				"deepmerge": "^4.2.2",
+				"escape-string-regexp": "^4.0.0",
+				"htmlparser2": "^6.0.0",
+				"is-plain-object": "^5.0.0",
+				"klona": "^2.0.3",
+				"parse-srcset": "^1.0.2",
+				"postcss": "^8.0.2"
+			},
+			"dependencies": {
+				"escape-string-regexp": {
+					"version": "4.0.0",
+					"resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz",
+					"integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA=="
+				},
+				"is-plain-object": {
+					"version": "5.0.0",
+					"resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz",
+					"integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q=="
+				}
+			}
+		},
 		"sax": {
 			"version": "1.2.4",
 			"resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
@@ -11245,6 +11357,11 @@
 			"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
 			"integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
 		},
+		"source-map-js": {
+			"version": "0.6.2",
+			"resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-0.6.2.tgz",
+			"integrity": "sha512-/3GptzWzu0+0MBQFrDKzw/DvvMTUORvgY6k6jd/VS6iCR4RDTKWH6v6WPwQoUO8667uQEf9Oe38DxAYWY5F/Ug=="
+		},
 		"source-map-resolve": {
 			"version": "0.5.3",
 			"resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.5.3.tgz",

packages/server/package.json

@@ -60,6 +60,7 @@
     "pg-query-stream": "^3.4.2",
     "prom-client": "^13.1.0",
     "redis": "^3.1.1",
+    "sanitize-html": "^2.4.0",
     "zxcvbn": "^4.4.2"
   },
   "devDependencies": {