Merge pull request #53 from iFixit/fix/security-hardening

Security Hardening

Author: ardelato

app/Http/Controllers/GroupController.php

@@ -376,7 +376,7 @@ public function postSendInvite(Request $request): RedirectResponse
 
         // Don't log to Sentry - legitimate user error.
         return redirect()->back()->with('warning', __('groups.invite_success_apart_from', [
-            'emails' => rtrim(implode(', ', $not_sent))
+            'emails' => e(rtrim(implode(', ', $not_sent)))
         ]));
     }
 

app/Http/Controllers/PartyController.php

@@ -704,7 +704,7 @@ public function postSendInvite(Request $request): RedirectResponse
 
             // Don't log to Sentry - legitimate user error.
             return redirect()->back()->with('warning', __('events.invite_invalid_emails', [
-                'emails' => implode(', ', $not_sent)
+                'emails' => e(implode(', ', $not_sent))
             ]));
         }
 

app/Models/Alert.php

@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Lang;
 use Illuminate\Support\Facades\Log;
 use OwenIt\Auditing\Contracts\Auditable;
+use Stevebauman\Purify\Facades\Purify;
 
 class Alert extends Model implements Auditable
 {
@@ -32,4 +33,9 @@ class Alert extends Model implements Auditable
         'end',
         'variant'
     ];
+
+    public function setHtmlAttribute($value)
+    {
+        $this->attributes['html'] = $value === null ? null : Purify::clean((string) $value);
+    }
 }

config/purify.php

@@ -49,6 +49,7 @@
                 'http' => true,
                 'https' => true,
                 'mailto' => true,
+                'tel' => true,
             ],
             'AutoFormat.AutoParagraph' => false,
             'AutoFormat.RemoveEmpty' => false,

package-lock.json

@@ -18,11 +18,12 @@
         "@playwright/test": "^1.14.1",
         "@vue/test-utils": "^1.3.6",
         "@vue/vue2-jest": "^28.1.0",
-        "axios": "^1.6.4",
+        "axios": "^1.15.2",
         "babel-jest": "^28.1.0",
         "bootstrap": "^4.6.1",
         "browser-sync": "^2.27.11",
         "browser-sync-webpack-plugin": "^2.3.0",
+        "concurrently": "^9.0.1",
         "faker": "^5.5.3",
         "jest": "^28.1.0",
         "jest-environment-jsdom": "^28.1.0",
@@ -44,7 +45,6 @@
         "vue": "^2.7.14",
         "vue-loader": "^15.10.1",
         "vue-template-compiler": "^2.7.14",
-        "concurrently": "^9.0.1",
         "webpack-shell-plugin-next": "^2.3.1"
     },
     "dependencies": {

package.json

@@ -10,7 +10,7 @@
               <!-- <span class='badge badge-warning'>NEW!</span> -->
               <strong>{{ alert.title }}</strong>
             </div>
-            <div v-html="alert.html" />
+            <div v-html="sanitize(alert.html)" />
           </div>
         </div>
 
@@ -24,6 +24,7 @@
 </template>
 <script>
 import moment from 'moment'
+import DOMPurify from 'dompurify'
 
 export default {
   computed: {
@@ -53,6 +54,9 @@ export default {
     await this.$store.dispatch('alerts/fetch')
   },
   methods: {
+    sanitize(html) {
+      return DOMPurify.sanitize(html)
+    },
     dismissed(id) {
       try {
         localStorage.setItem('alert-' + id, true)

resources/js/components/AlertBanner.vue

@@ -66,6 +66,7 @@
 <script>
 import group from '../mixins/group'
 import ConfirmModal from './ConfirmModal'
+import { escapeHtml } from '../helpers/escapeHtml'
 
 export default {
   components: { ConfirmModal },
@@ -100,11 +101,7 @@ export default {
     }
   },
   methods: {
-    escapeHtml(str) {
-      const el = document.createElement('span')
-      el.textContent = str
-      return el.innerHTML
-    },
+    escapeHtml,
     leaveGroup() {
       this.$refs.confirmLeave.show()
     },

resources/js/components/GroupActions.vue

@@ -60,6 +60,7 @@ import GroupDevicesMostRepaired from './GroupDevicesMostRepaired'
 import GroupDevicesBreakdown from './GroupDevicesBreakdown'
 import AlertBanner from './AlertBanner'
 import auth from '../mixins/auth'
+import { escapeHtml } from '../helpers/escapeHtml'
 
 export default {
   components: {
@@ -160,11 +161,7 @@ export default {
     }
   },
   methods: {
-    escapeHtml(str) {
-      const el = document.createElement('span')
-      el.textContent = str
-      return el.innerHTML
-    },
+    escapeHtml,
   },
   computed: {
     group() {

resources/js/components/GroupPage.vue

@@ -69,7 +69,7 @@ export default {
         val_container = val_container.substring(0, this.maxChars) + "...";
       }
 
-      return val_container;
+      return DOMPurify.sanitize(val_container);
     },
     sanitizedHtml() {
       return this.html ? DOMPurify.sanitize(this.html) : null
@@ -84,7 +84,7 @@ export default {
       return this.truncatedHTML ? DOMPurify.sanitize(this.truncatedHTML) : null
     },
     needsTruncating() {
-      if (this.text && (text.length > maxChars)) {
+      if (this.text && (this.text.length > this.maxChars)) {
         return true
       }