From ce64f22e0501a2055f784f0e53891b7efd0e1364 Mon Sep 17 00:00:00 2001 From: himaniraghav3 Date: Thu, 19 Dec 2024 17:09:08 +0530 Subject: [PATCH 1/2] PM-198_fix_reflected_XSS --- package.json | 3 ++- src/server/services/mmLeaderboard.js | 6 ++++-- src/server/services/recruitCRM.js | 6 ++++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 45c9302fe6..7094dff78c 100644 --- a/package.json +++ b/package.json @@ -172,7 +172,8 @@ "url-parse": "^1.4.1", "uuid": "^3.3.2", "valid-url": "^1.0.9", - "xml2json": "^0.11.2" + "xml2json": "^0.11.2", + "xss": "^1.0.15" }, "devDependencies": { "@commitlint/cli": "^8.3.5", diff --git a/src/server/services/mmLeaderboard.js b/src/server/services/mmLeaderboard.js index b3d812ec75..286e3c14da 100644 --- a/src/server/services/mmLeaderboard.js +++ b/src/server/services/mmLeaderboard.js @@ -3,6 +3,7 @@ * Server-side functions necessary for effective integration with MMLeaderboard */ import { services } from 'topcoder-react-lib'; +import xss from 'xss'; const { api, submissions } = services; @@ -17,13 +18,14 @@ export default class MMLService { */ async getLeaderboard(req, res, next) { try { + const sanitizedId = xss(req.params.id); const m2mToken = await api.getTcM2mToken(); const subSrv = submissions.getService(m2mToken); const reviewIds = await subSrv.getScanReviewIds(); const v5api = api.getApiV5(m2mToken); - const subs = await v5api.get(`/submissions?challengeId=${req.params.id}&page=1&perPage=500`); + const subs = await v5api.get(`/submissions?challengeId=${sanitizedId}&page=1&perPage=500`); return res.send({ - id: req.params.id, + id: sanitizedId, subs: await subs.json(), reviewIds, }); diff --git a/src/server/services/recruitCRM.js b/src/server/services/recruitCRM.js index 87324ea2ba..f092412ef4 100644 --- a/src/server/services/recruitCRM.js +++ b/src/server/services/recruitCRM.js @@ -7,6 +7,7 @@ import qs from 'qs'; import _ from 'lodash'; import { logger, services } from 'topcoder-react-lib'; import Joi from 'joi'; +import xss from 'xss'; import { sendEmailDirect } from './sendGrid'; // import GSheetService from './gSheet'; @@ -186,7 +187,8 @@ export default class RecruitCRMService { */ async getJob(req, res, next) { try { - const response = await fetch(`${this.private.baseUrl}/v1/jobs/${req.params.id}`, { + const sanitizedId = xss(req.params.id); + const response = await fetch(`${this.private.baseUrl}/v1/jobs/${sanitizedId}`, { method: 'GET', headers: { 'Content-Type': req.headers['content-type'], @@ -201,7 +203,7 @@ export default class RecruitCRMService { const error = { error: true, status: response.status, - url: `${this.private.baseUrl}/v1/jobs/${req.params.id}`, + url: `${this.private.baseUrl}/v1/jobs/${sanitizedId}`, errObj: await response.json(), }; logger.error(error); From b6545c12e39180be6dd49d5e52d29d13b2bcd857 Mon Sep 17 00:00:00 2001 From: himaniraghav3 Date: Wed, 8 Jan 2025 18:19:49 +0530 Subject: [PATCH 2/2] validate input --- src/server/services/recruitCRM.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/server/services/recruitCRM.js b/src/server/services/recruitCRM.js index f092412ef4..801232d575 100644 --- a/src/server/services/recruitCRM.js +++ b/src/server/services/recruitCRM.js @@ -188,6 +188,10 @@ export default class RecruitCRMService { async getJob(req, res, next) { try { const sanitizedId = xss(req.params.id); + + if (!/^[a-zA-Z0-9-_]{8,20}$/.test(sanitizedId)) { + return res.status(400).json({ error: 'Invalid job ID format.' }); + } const response = await fetch(`${this.private.baseUrl}/v1/jobs/${sanitizedId}`, { method: 'GET', headers: {