Commit 53e401e
fix(ocr): sanitize Graph validationToken echo to prevent reflected XSS
CodeQL js/reflected-xss (high) flagged AI/ocr/server/onReceiptAdded.ts:
the Microsoft Graph subscription validationToken from req.query was echoed
straight into the HTTP response body. Although the response is sent as
text/plain, a user-controlled value reflected verbatim is a reflected XSS
sink (browsers can MIME-sniff, and the value is attacker influenceable).
Graph requires the opaque, URL-safe validationToken to be echoed back to
complete the subscription handshake, so strip any character outside the
token's known-safe set (base64url/base64) before reflecting it. This is a
no-op for legitimate tokens while removing the characters needed for XSS.
Also set X-Content-Type-Options: nosniff as defense in depth.
Verified on Windows (Node 24): backend builds; validate-sample.ps1 backend
smoke passes; a legitimate token echoes verbatim (handshake intact) while
'<script>alert(1)</script>' is returned as 'scriptalert1/script' (angle
brackets stripped).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>1 parent 1cc264d commit 53e401e
1 file changed
Lines changed: 14 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
9 | 17 | | |
10 | 18 | | |
11 | 19 | | |
12 | | - | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
13 | 26 | | |
14 | 27 | | |
15 | 28 | | |
| |||
0 commit comments