Sanitize html for note fields of tickets, users and organizations.

2019-02-12 08:38:59 +01:00 · 2019-02-12 08:38:59 +01:00 · dabce01ec2
parent f28cd627f8
commit dabce01ec2
7 changed files with 28 additions and 0 deletions
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@ -7,6 +7,7 @@ class Organization < ApplicationModel
  include HasHistory
  include HasSearchIndexBackend
  include CanCsvImport
+  include ChecksHtmlSanitized

  include Organization::ChecksAccess
  include Organization::Assets
@ -22,6 +23,8 @@ class Organization < ApplicationModel

  activity_stream_permission 'admin.role'

+  sanitized_html :note
+
  private

  def domain_cleanup
--- a/app/models/ticket.rb
+++ b/app/models/ticket.rb
@ -6,6 +6,7 @@ class Ticket < ApplicationModel
  include ChecksClientNotification
  include ChecksLatestChangeObserved
  include CanCsvImport
+  include ChecksHtmlSanitized
  include HasHistory
  include HasTags
  include HasSearchIndexBackend
@ -56,6 +57,8 @@ class Ticket < ApplicationModel

  history_relation_object 'Ticket::Article'

+  sanitized_html :note
+
  belongs_to    :group
  belongs_to    :organization
  has_many      :articles,               class_name: 'Ticket::Article', after_add: :cache_update, after_remove: :cache_update, dependent: :destroy, inverse_of: :ticket
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -6,6 +6,7 @@ class User < ApplicationModel
  include HasHistory
  include HasSearchIndexBackend
  include CanCsvImport
+  include ChecksHtmlSanitized
  include HasGroups
  include HasRoles

@ -66,6 +67,8 @@ class User < ApplicationModel
                         :groups,
                         :user_groups

+  sanitized_html :note
+
  def ignore_search_indexing?(_action)
    # ignore internal user
    return true if id == 1
--- a/spec/models/concerns/has_xss_sanitized_note_examples.rb
+++ b/spec/models/concerns/has_xss_sanitized_note_examples.rb
@ -0,0 +1,10 @@
+RSpec.shared_examples 'HasXssSanitizedNote' do |model_factory:|
+  describe 'XSS prevention' do
+    context 'with injected JS' do
+      subject { create(model_factory, note: 'test 123 <script type="text/javascript">alert("XSS!");</script> <b>some text</b>') }
+      it 'strips out <script> tag' do
+        expect(subject.note).to eq('test 123 alert("XSS!"); <b>some text</b>')
+      end
+    end
+  end
+end
--- a/spec/models/organization_spec.rb
+++ b/spec/models/organization_spec.rb
@ -1,10 +1,12 @@
 require 'rails_helper'
 require 'models/concerns/can_lookup_examples'
 require 'models/concerns/has_search_index_backend_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Organization, type: :model do
  it_behaves_like 'CanLookup'
  it_behaves_like 'HasSearchIndexBackend', indexed_factory: :organization
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :organization

  describe '.where_or_cis' do
    it 'finds instance by querying multiple attributes case insensitive' do
@ -13,4 +15,5 @@ RSpec.describe Organization, type: :model do
      expect(organizations).not_to be_blank
    end
  end
+
 end
--- a/spec/models/ticket_spec.rb
+++ b/spec/models/ticket_spec.rb
@ -2,11 +2,13 @@ require 'rails_helper'
 require 'models/application_model_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/can_lookup_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket, type: :model do
  it_behaves_like 'ApplicationModel'
  it_behaves_like 'CanBeImported'
  it_behaves_like 'CanLookup'
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket

  subject(:ticket) { create(:ticket) }

@ -378,4 +380,5 @@ RSpec.describe Ticket, type: :model do
      end
    end
  end
+
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -3,6 +3,7 @@ require 'models/application_model_examples'
 require 'models/concerns/has_groups_examples'
 require 'models/concerns/has_roles_examples'
 require 'models/concerns/has_groups_permissions_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/can_lookup_examples'

@ -10,6 +11,7 @@ RSpec.describe User do
  it_behaves_like 'ApplicationModel'
  it_behaves_like 'HasGroups', group_access_factory: :agent_user
  it_behaves_like 'HasRoles', group_access_factory: :agent_user
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :user
  it_behaves_like 'HasGroups and Permissions', group_access_no_permission_factory: :user
  it_behaves_like 'CanBeImported'
  it_behaves_like 'CanLookup'
@ -831,4 +833,5 @@ RSpec.describe User do
      end
    end
  end
+
 end