fix: RT-360- VAPT malicious src urls

shreya-kamble · shreya-kamble · commit 51c0960151d1 · 2025-01-09T11:23:26.000+05:30
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,6 +49,7 @@
   },
   "dependencies": {
     "array-flat-polyfill": "^1.0.1",
+    "dompurify": "^3.2.3",
     "lodash": "^4.17.21",
     "lodash.clonedeep": "^4.5.0",
     "lodash.flatten": "^4.4.0",
diff --git a/src/toRedactor.tsx b/src/toRedactor.tsx
@@ -1,6 +1,6 @@
 import kebbab from 'lodash.kebabcase'
 import isEmpty from 'lodash.isempty'
-
+import DOMPurify from 'dompurify'
 import {IJsonToHtmlElementTags, IJsonToHtmlOptions, IJsonToHtmlTextTags} from './types'
 import isPlainObject from 'lodash.isplainobject'
 
@@ -494,6 +494,15 @@ export const toRedactor = (jsonValue: any,options?:IJsonToHtmlOptions) : string
         }
         figureStyles.fieldsEdited.push(figureStyles.caption)
       }
+      if (jsonValue['type'] === 'social-embeds') {
+        const sanitizedHTML = DOMPurify.sanitize(allattrs['src'])
+        const urlMatch:any = sanitizedHTML.match(/https?:\/\/[^\s"'>]+/);
+        if (urlMatch && urlMatch[0] !== 'undefined') {
+        attrsJson['src'] = decodeURIComponent(urlMatch[0])
+        } else{
+          attrsJson['src'] = " "
+        }
+      }
       if(!(options?.customElementTypes && !isEmpty(options.customElementTypes) && options.customElementTypes[jsonValue['type']])) {
         delete attrsJson['url']
       }
diff --git a/test/expectedJson.ts b/test/expectedJson.ts
@@ -1999,6 +1999,83 @@ export default {
             }
         ],
         "htmlUpdated": "<p></p><img asset_uid=\"blt5523ee02703e39f5\" src=\"https://images.com/captain_pardip.jpg\" width=\"24.193548387096776\" height=\"auto\" style=\"width: 24.193548387096776%; height: auto;height: auto;\" type=\"asset\" sys-style-type=\"download\"/><p></p><iframe src=\"https://www.***REMOVED***.com/embed/CSvFpBOe8eY\"></iframe><img asset_uid=\"blta2aad0332073026c\" src=\"https://images.com/logo_1.jpg\" height=\"auto\" type=\"asset\" sys-style-type=\"download\"/>"
+    },
+    "RT-360":{  
+        "html": [
+            `<iframe src="https://www.youtube.com/embed/VD6xJq8NguY" width="560" height="320" data-type="social-embeds" ></iframe>`,
+            `<iframe src=" " width="560" height="320" data-type="social-embeds" ></iframe>`,
+            '<iframe src=" " width="560" height="320" data-type="social-embeds" ></iframe>',
+        ],
+        "json": 
+        [
+            {
+                "type": "doc",
+                "attrs": {},
+                "uid": "18396bf67f1f4b0a9da57643ac0542ca",
+                "children": [
+                    {
+                        "uid": "45a850acbeb949db86afe415625ad1ce",
+                        "type": "social-embeds",
+                        "attrs": {
+                            "src": "https://www.youtube.com/embed/VD6xJq8NguY\"></iframe><script>alert(document.cookie)</script><iframe ",
+                            "width": 560,
+                            "height": 320
+                        },
+                        "children": [
+                            {
+                                "text": ""
+                            }
+                        ]
+                    }
+                ],
+                "_version": 1
+            },
+            {
+                "type": "doc",
+                "attrs": {},
+                "uid": "18396bf67f1f4b0a9da57643ac0542ca",
+                "children": [
+                  {
+                    "uid": "45a850acbeb949db86afe415625ad1ce",
+                    "type": "social-embeds",
+                    "attrs": {
+                      "src": null, 
+                      "width": 560,
+                      "height": 320
+                    },
+                    "children": [
+                      {
+                        "text": ""
+                      }
+                    ]
+                  }
+                ],
+                "_version": 1
+            },
+            {
+                "type": "doc",
+                "attrs": {},
+                "uid": "18396bf67f1f4b0a9da57643ac0542ca",
+                "children": [
+                  {
+                    "uid": "45a850acbeb949db86afe415625ad1ce",
+                    "type": "social-embeds",
+                    "attrs": {
+                      "src": "www.youtube.com/embed/VD6xJq8NguY",
+                      "width": 560,
+                      "height": 320
+                    },
+                    "children": [
+                      {
+                        "text": ""
+                      }
+                    ]
+                  }
+                ],
+                "_version": 1
+            }
+        ]    
+        
     }
      
 }
diff --git a/test/toRedactor.test.ts b/test/toRedactor.test.ts
@@ -248,5 +248,25 @@ describe("Testing json to html conversion", () => {
       const html = toRedactor(json);
       expect(html).toBe(`<iframe src="https://www.***REMOVED***.com/embed/3V-Sq7_uHXQ" width="560" height="320" data-type="social-embeds" ></iframe>`);
     })
+
+    describe("RT-360", () =>{
+      it("should remove script and/or other tags from src links in HTML for social-embeds", () => {
+        const json = expectedValue["RT-360"].json[0]
+        const html = toRedactor(json);
+        expect(html).toBe(expectedValue["RT-360"].html[0]);
+      })
+
+      it("should handle undefined or null cases",()=>{
+        const json = expectedValue["RT-360"].json[1]
+        const html = toRedactor(json);
+        expect(html).toBe(expectedValue["RT-360"].html[1]);
+      })
+
+      it("should handle src without protocol",()=>{
+        const json = expectedValue["RT-360"].json[2]
+        const html = toRedactor(json);
+        expect(html).toBe(expectedValue["RT-360"].html[2]);
+      })
+    })
 })
 
