Try to fix some security issues.

Thanks to responsible security disclosure contributors and xet7 !
2025-09-22 01:50:48 +02:00 · 2023-02-20 01:21:33 +02:00 · 2023-02-20 01:21:33 +02:00 · ff993e7c91
commit ff993e7c91
parent b349ecbdf7
9 changed files with 4272 additions and 2291 deletions
--- a/client/components/activities/activities.js
+++ b/client/components/activities/activities.js
@ -1,4 +1,4 @@
-import DOMPurify from 'dompurify';
+import DOMPurify from 'isomorphic-dompurify';
 import { TAPi18n } from '/imports/i18n';
 const activitiesPerPage = 500;
--- a/client/components/cards/attachments.jade
+++ b/client/components/cards/attachments.jade
@ -34,22 +34,22 @@ template(name="attachmentsGalery")
  .attachments-galery
    each attachments
      .attachment-item
-        a.attachment-thumbnail.swipebox(href="{{link}}" title="{{name}}")
+        a.attachment-thumbnail.swipebox(href="{{link}}" title="{{sanitize name}}")
          if link
            if isImage
-              img.attachment-thumbnail-img(src="{{link}}")
+              img.attachment-thumbnail-img(src="{{link}}" title="{{sanitize name}}")
            else if($eq extension 'mp3')
-                video(width="100%" height="100%" controls="true")
+              video(width="100%" height="100%" title="{{sanitize name}}" controls="true")
-                  source(src="{{link}}" type="audio/mpeg")
+                source(src="{{link}}" type="audio/mpeg")
            else if($eq extension 'ogg')
-                video(width="100%" height="100%" controls="true")
+              video(width="100%" height="100%" title="{{sanitize name}}" controls="true")
-                  source(src="{{link}}" type="video/ogg")
+                source(src="{{link}}" type="video/ogg")
            else if($eq extension 'webm')
-                video(width="100%" height="100%" controls="true")
+              video(width="100%" height="100%" title="{{sanitize name}}" controls="true")
-                  source(src="{{link}}" type="video/webm")
+                source(src="{{link}}" type="video/webm")
            else if($eq extension 'mp4')
-                video(width="100%" height="100%" controls="true")
+              video(width="100%" height="100%" title="{{sanitize name}}" controls="true")
-                  source(src="{{link}}" type="video/mp4")
+                source(src="{{link}}" type="video/mp4")
            else
              span.attachment-thumbnail-ext= extension
        p.attachment-details
--- a/client/components/cards/attachments.js
+++ b/client/components/cards/attachments.js
@ -1,4 +1,5 @@
 import { ObjectID } from 'bson';
 import DOMPurify from 'isomorphic-dompurify';
 const filesize = require('filesize');
 const prettyMilliseconds = require('pretty-ms');
@ -21,6 +22,9 @@ Template.attachmentsGalery.helpers({
    const ret = filesize(size);
    return ret;
  },
  sanitize(value) {
    return DOMPurify.sanitize(value);
  },
 });
 Template.cardAttachmentsPopup.onCreated(function() {
@ -49,6 +53,10 @@ Template.cardAttachmentsPopup.events({
      let uploads = [];
      for (const file of files) {
        const fileId = new ObjectID().toString();
        // If filename is not same as sanitized filename, has XSS, then cancel upload
        if (file.name !== DOMPurify.sanitize(file.name)) {
          return false;
        }
        const config = {
          file: file,
          fileId: fileId,
--- a/client/components/main/editor.js
+++ b/client/components/main/editor.js
@ -283,7 +283,7 @@ BlazeComponent.extendComponent({
  }
 }).register('editor');
-import DOMPurify from 'dompurify';
+import DOMPurify from 'isomorphic-dompurify';
 // Additional  safeAttrValue function to allow for other specific protocols
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
--- a/models/attachments.js
+++ b/models/attachments.js
@ -6,6 +6,7 @@ import fs from 'fs';
 import path from 'path';
 import { AttachmentStoreStrategyFilesystem, AttachmentStoreStrategyGridFs, AttachmentStoreStrategyS3 } from '/models/lib/attachmentStoreStrategy';
 import FileStoreStrategyFactory, {moveToStorage, rename, STORAGE_NAME_FILESYSTEM, STORAGE_NAME_GRIDFS, STORAGE_NAME_S3} from '/models/lib/fileStoreStrategy';
 import DOMPurify from 'isomorphic-dompurify';
 let attachmentUploadExternalProgram;
 let attachmentUploadMimeTypes = [];
@ -149,9 +150,11 @@ if (Meteor.isServer) {
    renameAttachment(fileObjId, newName) {
      check(fileObjId, String);
      check(newName, String);
-
+      // If new name is same as sanitized name, does not have XSS, allow rename file
-      const fileObj = Attachments.findOne({_id: fileObjId});
+      if (newName === DOMPurify.sanitize(newName)) {
-      rename(fileObj, newName, fileStoreStrategyFactory);
+        const fileObj = Attachments.findOne({_id: fileObjId});
        rename(fileObj, newName, fileStoreStrategyFactory);
      }
    },
    validateAttachment(fileObjId) {
      check(fileObjId, String);
--- a/models/users.js
+++ b/models/users.js
@ -2499,6 +2499,7 @@ if (Meteor.isServer) {
        Accounts.destroyToken(userId, token);
        data.message = 'Delete token: [' + token + '] from user: ' + userId;
      } else if (userId) {
        check(userId, String);
        Users.update(
          {
            _id: userId,
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -41,6 +41,7 @@
    "filesize": "^8.0.7",
    "i18next": "^21.6.16",
    "i18next-sprintf-postprocessor": "^0.2.2",
    "isomorphic-dompurify": "^1.0.0",
    "jquery": "^2.2.4",
    "jquery-ui": "^1.13.0",
    "jquery-ui-touch-punch": "^0.2.3",
--- a/packages/markdown/src/template-integration.js
+++ b/packages/markdown/src/template-integration.js
@ -1,4 +1,4 @@
-import DOMPurify from 'dompurify';
+import DOMPurify from 'isomorphic-dompurify';
 var Markdown = require('markdown-it')({
  html: true,