Remove user supplied values from responses (#5780)

Author: christopherholland-workday

packages/server/src/controllers/chat-messages/index.ts

@@ -168,7 +168,7 @@ const removeAllChatMessages = async (req: Request, res: Response, next: NextFunc
         const chatflowid = req.params.id
         const chatflow = await chatflowsService.getChatflowById(req.params.id, workspaceId)
         if (!chatflow) {
-            return res.status(404).send(`Chatflow ${req.params.id} not found`)
+            return res.status(404).send('Chatflow not found')
         }
         const flowData = chatflow.flowData
         const parsedFlowData: IReactFlowObject = JSON.parse(flowData)

packages/server/src/controllers/chatflows/index.ts

@@ -181,7 +181,7 @@ const updateChatflow = async (req: Request, res: Response, next: NextFunction) =
         }
         const chatflow = await chatflowsService.getChatflowById(req.params.id, workspaceId)
         if (!chatflow) {
-            return res.status(404).send(`Chatflow ${req.params.id} not found`)
+            return res.status(404).send('Chatflow not found')
         }
         const orgId = req.user?.activeOrganizationId
         if (!orgId) {

packages/server/src/controllers/nvidia-nim/index.ts

@@ -45,7 +45,7 @@ const pullImage = async (req: Request, res: Response, next: NextFunction) => {
         const imageTag = req.body.imageTag
         const apiKey = req.body.apiKey
         await NimContainerManager.pullImage(imageTag, apiKey)
-        return res.send(`Pulling image ${imageTag}`)
+        return res.send('Pulling image')
     } catch (error) {
         next(error)
     }
@@ -62,7 +62,7 @@ const startContainer = async (req: Request, res: Response, next: NextFunction) =
             return res.status(400).send('nimRelaxMemConstraints must be 0 or 1')
         }
         await NimContainerManager.startContainer(imageTag, apiKey, hostPort, nimRelaxMemConstraints)
-        return res.send(`Starting container ${imageTag}`)
+        return res.send('Starting container')
     } catch (error) {
         next(error)
     }
@@ -74,7 +74,7 @@ const getImage = async (req: Request, res: Response, next: NextFunction) => {
         const images = await NimContainerManager.userImageLibrary()
         const image = images.find((img: any) => img.tag === imageTag)
         if (!image) {
-            return res.status(404).send(`Image ${imageTag} not found`)
+            return res.status(404).send('Image not found')
         }
         return res.json(image)
     } catch (error) {
@@ -91,7 +91,7 @@ const getContainer = async (req: Request, res: Response, next: NextFunction) =>
         const images = await NimContainerManager.userImageLibrary()
         const image = images.find((img: any) => img.tag === imageTag)
         if (!image) {
-            return res.status(404).send(`Image ${imageTag} not found`)
+            return res.status(404).send('Image not found')
         }
 
         const containers = await NimContainerManager.listRunningContainers()
@@ -103,14 +103,14 @@ const getContainer = async (req: Request, res: Response, next: NextFunction) =>
                 return res.json(portInUse)
             } else {
                 return res.status(409).send({
-                    message: `Port ${port} is already in use by another container`,
+                    message: 'Port is already in use by another container',
                     container: portInUse
                 })
             }
         }
 
         // If no container found with matching port, return 404
-        return res.status(404).send(`Container of ${imageTag} with port ${port} not found`)
+        return res.status(404).send('Container not found')
     } catch (error) {
         next(error)
     }

packages/server/src/controllers/variables/index.ts

@@ -88,7 +88,7 @@ const updateVariable = async (req: Request, res: Response, next: NextFunction) =
         }
         const variable = await variablesService.getVariableById(req.params.id, workspaceId)
         if (!variable) {
-            return res.status(404).send(`Variable ${req.params.id} not found in the database`)
+            return res.status(404).send('Variable not found in the database')
         }
         const body = req.body
         const updatedVariable = new Variable()

packages/server/src/routes/oauth2/templates.ts

@@ -5,6 +5,13 @@
  * The templates provide consistent styling and behavior for success and error pages.
  */
 
+/**
+ * Escapes HTML special characters to prevent XSS attacks
+ */
+const escapeHtml = (unsafe: string): string => {
+    return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;')
+}
+
 export interface OAuth2PageOptions {
     title: string
     statusIcon: string
@@ -20,11 +27,18 @@ export interface OAuth2PageOptions {
 export const generateOAuth2ResponsePage = (options: OAuth2PageOptions): string => {
     const { title, statusIcon, statusText, statusColor, message, details, postMessageType, postMessageData, autoCloseDelay } = options
 
+    // Escape all user-controlled content to prevent XSS
+    const safeTitle = escapeHtml(title)
+    const safeStatusIcon = escapeHtml(statusIcon)
+    const safeStatusText = escapeHtml(statusText)
+    const safeMessage = escapeHtml(message)
+    const safeDetails = details ? escapeHtml(details) : undefined
+
     return `
         <!DOCTYPE html>
         <html>
         <head>
-            <title>${title}</title>
+            <title>${safeTitle}</title>
             <style>
                 body {
                     font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
@@ -65,9 +79,9 @@ export const generateOAuth2ResponsePage = (options: OAuth2PageOptions): string =
         </head>
         <body>
             <div class="container">
-                <div class="status">${statusIcon} ${statusText}</div>
-                <div class="message">${message}</div>
-                ${details ? `<div class="details">${details}</div>` : ''}
+                <div class="status">${safeStatusIcon} ${safeStatusText}</div>
+                <div class="message">${safeMessage}</div>
+                ${safeDetails ? `<div class="details">${safeDetails}</div>` : ''}
             </div>
             <script>
                 // Notify parent window
@@ -81,7 +95,7 @@ export const generateOAuth2ResponsePage = (options: OAuth2PageOptions): string =
                 } catch (error) {
                     console.log('Could not notify parent window:', error);
                 }
-                
+
                 // Close window after delay
                 setTimeout(function() {
                     window.close();