Skip to content

fix: escape error.message on login failure #3695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 1, 2021
Merged

fix: escape error.message on login failure #3695

merged 5 commits into from
Jul 1, 2021

Conversation

jsjoeio
Copy link
Contributor

@jsjoeio jsjoeio commented Jun 29, 2021
edited
Loading

This PR fixes a security issue by sanitizing the error.message before sending it back to the client on a login failure.

Changes

  • add function escapeHtml + tests
  • fix: escape error.message before sending to client on login failure

Checklist

  • tested locally
  • added a test

Fixes #3382

@codecov
Copy link

codecov bot commented Jun 29, 2021
edited
Loading

Codecov Report

Merging #3695 (c0e123a) into main (faa896c) will increase coverage by 1.33%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3695      +/-   ##
==========================================
+ Coverage   60.22%   61.55%   +1.33%     
==========================================
  Files          35       35              
  Lines        1810     1813       +3     
  Branches      365      365              
==========================================
+ Hits         1090     1116      +26     
+ Misses        604      588      -16     
+ Partials      116      109       -7
Impacted Files Coverage Δ
src/node/http.ts 46.03% <100.00%> (+11.11%) ⬆️
src/node/routes/login.ts 70.90% <100.00%> (+30.16%) ⬆️
src/node/util.ts 72.16% <100.00%> (+0.28%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update faa896c...c0e123a. Read the comment docs.

jsjoeio
jsjoeio commented Jun 29, 2021
View reviewed changes
@jsjoeio jsjoeio force-pushed the jsjoeio-sanitize-error-msg branch from e5c705c to 2e76ae1 Compare June 29, 2021 23:37
@jsjoeio jsjoeio added the security Security related label Jun 29, 2021
@jsjoeio jsjoeio self-assigned this Jun 29, 2021
@jsjoeio jsjoeio modified the milestone: 3.11.0 Jun 29, 2021
@jsjoeio jsjoeio changed the title feat: add escapeHTML function fix: escape HTML on login failure Jun 29, 2021
@jsjoeio jsjoeio changed the title fix: escape HTML on login failure fix: escape error.message on login failure Jun 30, 2021
@jsjoeio jsjoeio force-pushed the jsjoeio-sanitize-error-msg branch from 2e76ae1 to beaf3ce Compare June 30, 2021 16:53
@jsjoeio jsjoeio marked this pull request as ready for review June 30, 2021 16:54
@jsjoeio jsjoeio requested a review from a team as a code owner June 30, 2021 16:54
oxy
oxy previously approved these changes Jun 30, 2021
View reviewed changes
Copy link

@oxy oxy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one small nit; though I'll leave it to you on if you want it to stay as-is or update the code!

@jsjoeio jsjoeio marked this pull request as draft June 30, 2021 17:21
@jsjoeio jsjoeio requested a review from oxy June 30, 2021 17:48
@jsjoeio jsjoeio marked this pull request as ready for review June 30, 2021 17:49
@jsjoeio jsjoeio dismissed oxy’s stale review June 30, 2021 19:34

I had to make additional changes

@jsjoeio jsjoeio force-pushed the jsjoeio-sanitize-error-msg branch from 157abcf to f7e445d Compare June 30, 2021 21:35
kylecarbs
kylecarbs approved these changes Jul 1, 2021
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒

jawnsy
jawnsy approved these changes Jul 1, 2021
View reviewed changes
src/node/util.ts
**/
export function escapeHtml(unsafe: string): string {
return unsafe
.replace(/&/g, "&amp;")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems kinda unfortunate that there isn't a built-in function for doing this? I'm always wary of escaping things incorrectly, but this seems reasonable enough

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it is built-in but:

Although escape() is not strictly deprecated (as in "removed from the Web standards"), it is defined in Annex B of the ECMA-262 standard, whose introduction states:
Programmers should not use or assume the existence of these features and behaviors when writing new ECMAScript code

jsjoeio added 5 commits July 1, 2021 10:43
@jsjoeio
feat: add escapeHtml function
c505fc4 
This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.
@jsjoeio
fix: escape error.message on login failure
22a22a8
@jsjoeio
fixup! fix: escape error.message on login failure
2092f82
@jsjoeio
docs: clarify redirect function in http.ts usage
2ba03c3
@jsjoeio
fix(http): escape req.query.to in replaceTemplates
c0e123a
@jsjoeio jsjoeio force-pushed the jsjoeio-sanitize-error-msg branch from f7e445d to c0e123a Compare July 1, 2021 17:43
@jsjoeio jsjoeio enabled auto-merge July 1, 2021 17:43
@jsjoeio jsjoeio disabled auto-merge July 1, 2021 21:36
@jsjoeio jsjoeio enabled auto-merge July 1, 2021 21:36
@jsjoeio jsjoeio disabled auto-merge July 1, 2021 21:36
@jsjoeio jsjoeio merged commit 975dd13 into main Jul 1, 2021
@jsjoeio jsjoeio deleted the jsjoeio-sanitize-error-msg branch July 1, 2021 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawnsy jawnsy jawnsy approved these changes

@kylecarbs kylecarbs kylecarbs approved these changes

@oxy oxy Awaiting requested review from oxy

Assignees

@jsjoeio jsjoeio

Labels
security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sanitize error messages before writing to login page
4 participants
@jsjoeio @jawnsy @kylecarbs @oxy