Merge pull request #192 from Wikia/IW-4876

IW-4876 | Fix XSS in notifacations

Author: Karol Tatała

docs/build/1.7cd9ad06.js

@@ -1 +1 @@
-<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><title>react-common</title><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Rubik:300,300i,400,400i,500,500i,700,700i,900,900i&display=swap"></head><body><div id="rsg-root"></div><div id="app"></div><script src="build/bundle.4e3e350e.js"></script></body></html>
+<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><title>react-common</title><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Rubik:300,300i,400,400i,500,500i,700,700i,900,900i&display=swap"></head><body><div id="rsg-root"></div><div id="app"></div><script src="build/bundle.a2f5ff66.js"></script></body></html>

docs/build/1.8142c86e.js

@@ -63,6 +63,7 @@
     "@babel/preset-react": "^7.8.3",
     "@rollup/plugin-commonjs": "^11.0.2",
     "@rollup/plugin-node-resolve": "^7.1.1",
+    "@testing-library/react": "^11.2.2",
     "babel-core": "^7.0.0-bridge.0",
     "babel-eslint": "^10.1.0",
     "babel-jest": "^25.1.0",

docs/build/bundle.4e3e350e.js

@@ -1,6 +1,6 @@
 import React, { useContext } from 'react';
 import PropTypes from 'prop-types';
-import { useTranslation, Trans } from 'react-i18next';
+import { useTranslation } from 'react-i18next';
 import get from 'lodash/get';
 
 import {
@@ -18,10 +18,23 @@ function bold(text) {
     return `<b>${text}</b>`;
 }
 
+function escapeHtml(unsafe) {
+    if (!unsafe) {
+        return unsafe;
+    }
+
+    return unsafe
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;');
+}
+
 const getReplyMessageBody = (translateFunc, { title, totalUniqueActors, latestActors, postTitleMarkup }) => {
     const hasTwoUsers = totalUniqueActors === 2;
     const hasThreeOrMoreUsers = totalUniqueActors > 2;
-    const firstReplierName = get(latestActors, '[0].name');
+    const firstReplierName = escapeHtml(get(latestActors, '[0].name'));
 
     if (title) {
         if (hasThreeOrMoreUsers) {
@@ -35,7 +48,7 @@ const getReplyMessageBody = (translateFunc, { title, totalUniqueActors, latestAc
         if (hasTwoUsers) {
             return translateFunc('notifications-replied-by-two-users-with-title', {
                 firstUser: firstReplierName,
-                secondUser: get(latestActors, '[1].name'),
+                secondUser: escapeHtml(get(latestActors, '[1].name')),
                 postTitle: postTitleMarkup,
             });
         }
@@ -55,7 +68,7 @@ const getReplyMessageBody = (translateFunc, { title, totalUniqueActors, latestAc
     if (hasTwoUsers) {
         return translateFunc('notifications-replied-by-two-users-no-title', {
             firstUser: firstReplierName,
-            secondUser: get(latestActors, '[1].name'),
+            secondUser: escapeHtml(get(latestActors, '[1].name')),
         });
     }
 
@@ -116,16 +129,16 @@ const getReplyUpvoteMessageBody = (translateFunc, { title, totalUniqueActors, po
 
 const getPostAtMentionMessageBody = (translateFunc, { postTitleMarkup, latestActors }) => translateFunc('notifications-reply-at-mention', {
     postTitle: postTitleMarkup,
-    mentioner: get(latestActors, '[0].name'),
+    mentioner: escapeHtml(get(latestActors, '[0].name')),
 });
 
 const getThreadAtMentionMessageBody = (translateFunc, { postTitleMarkup, latestActors }) => translateFunc('notifications-post-at-mention', {
     postTitle: postTitleMarkup,
-    mentioner: get(latestActors, '[0].name'),
+    mentioner: escapeHtml(get(latestActors, '[0].name')),
 });
 
 function getArticleCommentNotificationUsername(t, latestActors) {
-    return get(latestActors, '[0].name') ?? t('notifications-anon-user');
+    return escapeHtml(get(latestActors, '[0].name')) ?? t('notifications-anon-user');
 }
 
 function getArticleCommentReplyMessageBody(t, { userData, refersToAuthorId, latestActors, title }) {
@@ -150,7 +163,8 @@ function getArticleCommentReplyAtMentionMessageBody(t, { latestActors, title })
 }
 
 const getText = (translateFunc, model, userData) => {
-    const { type, snippet, title, totalUniqueActors, latestActors, refersToAuthorId } = model;
+    const { type, snippet, title: dangerousTitle, totalUniqueActors, latestActors, refersToAuthorId } = model;
+    const title = escapeHtml(dangerousTitle);
     const postTitleMarkup = `<b>${title}</b>`;
 
     if (isAnnouncement(type)) {
@@ -197,7 +211,8 @@ const CardText = ({ model }) => {
     const userData = useUserData();
     const text = getText(t, model, userData);
 
-    return <p className="wds-notification-card__text"><Trans t={t}>{text}</Trans></p>;
+    // eslint-disable-next-line react/no-danger
+    return <p className="wds-notification-card__text" dangerouslySetInnerHTML={{ __html: text }} />;
 };
 
 CardText.propTypes = {

docs/build/bundle.a2f5ff66.js

@@ -1,6 +1,6 @@
 import React from 'react';
-import ShallowRenderer from 'react-test-renderer/shallow';
 import merge from 'lodash/merge';
+import { render } from '@testing-library/react';
 
 import { notificationTypes } from '../../models/notificationTypes';
 import { useUserData } from '../../context/UserContext';
@@ -10,7 +10,7 @@ import CardText from './CardText';
 const actorsMock = [
     {
         id: '12345',
-        name: 'ATOB',
+        name: 'ATO<b>B</b>',
         avatarUrl: 'https://static.wikia.nocookie.net/458a839b-8f84-42c2-b9d1-cf8c5a21bd75',
         profileUrl: 'http://localhost:6060/wiki/User:ATOB',
         src: 'https://static.wikia.nocookie.net/458a839b-8f84-42c2-b9d1-cf8c5a21bd75',
@@ -35,6 +35,11 @@ jest.mock('../../context/UserContext', () => ({
     useUserData: jest.fn(),
 }));
 
+jest.mock('react-i18next', () => ({
+    ...jest.requireActual('react-i18next'),
+    useTranslation: () => [jest.fn((key, params) => `${key}${params ? JSON.stringify(params) : ''}`)],
+}));
+
 const defaultProps = {
     track: () => null,
     model: {
@@ -45,20 +50,19 @@ const defaultProps = {
         latestEventUri: 'http://xkxd.wikia.com/d/p/3100000000000001096/r/3086787452863005635',
         snippet: 'some snippet',
         timestamp: 1550663179,
-        title: 'MOAR LIKES',
+        title: 'MOAR <b>LIKES</b>',
         type: notificationTypes.discussionReply,
         totalUniqueActors: actorsMock.length,
         uri: 'http://xkxd.wikia.com/d/p/3100000000000001096',
     },
 };
 
 function renderComponent(props) {
-    const renderer = new ShallowRenderer();
     const computedProps = merge({}, defaultProps, props);
 
-    renderer.render(<CardText {...computedProps} />);
+    const { container } = render(<CardText {...computedProps} />);
 
-    return renderer.getRenderOutput();
+    return container.firstChild;
 }
 
 test('CardText renders correctly with default props', () => {
@@ -223,7 +227,7 @@ describe('Discussion at mentions', () => {
                 type: notificationTypes.postAtMention,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Post with at mention',
+                title: 'Post with at <b>mention</b>',
             },
         })).toMatchSnapshot();
     });
@@ -234,7 +238,7 @@ describe('Discussion at mentions', () => {
                 type: notificationTypes.threadAtMention,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Post with at mention',
+                title: 'Post with at <b>mention</b>',
             },
         })).toMatchSnapshot();
     });
@@ -250,7 +254,7 @@ describe('Article Comments', () => {
                 type: notificationTypes.articleCommentReply,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Article Title',
+                title: 'Article <b>Title</b>',
                 refersToAuthorId: someMockAuthor.id,
             },
         })).toMatchSnapshot();
@@ -265,7 +269,7 @@ describe('Article Comments', () => {
                 type: notificationTypes.articleCommentReply,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Article Title',
+                title: 'Article <b>Title</b>',
                 refersToAuthorId: '11111',
             },
         })).toMatchSnapshot();
@@ -283,7 +287,7 @@ describe('Article Comments at mentions', () => {
                 type: notificationTypes.articleCommentAtMention,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Article Title',
+                title: 'Article <b>Title</b>',
             },
         })).toMatchSnapshot();
     });
@@ -294,7 +298,7 @@ describe('Article Comments at mentions', () => {
                 type: notificationTypes.articleCommentReplyAtMention,
                 latestActors: actorsMock.slice(0, 1),
                 totalUniqueActors: 1,
-                title: 'Article Title',
+                title: 'Article <b>Title</b>',
             },
         })).toMatchSnapshot();
     });
@@ -305,7 +309,7 @@ describe('Article Comments at mentions', () => {
                 type: notificationTypes.articleCommentReplyAtMention,
                 latestActors: [{ id: 0, name: null }],
                 totalUniqueActors: 1,
-                title: 'Article Title',
+                title: 'Article <b>Title</b>',
             },
         })).toMatchSnapshot();
     });