Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add warn log for sanitisation for overridden config #521

Merged
merged 1 commit into from
Aug 11, 2023
+19 −7
Merged

chore: add warn log for sanitisation for overridden config #521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ilc/server/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ module.exports = (registryService, pluginManager, context) => {
const overrideConfigs = parseOverrideConfig(
req.headers.cookie,
registryConfig.settings.overrideConfigTrustedOrigins,
logger,
);
// Excluding LDE related transactions from NewRelic
if (overrideConfigs !== null) {
Expand Down
18 changes: 12 additions & 6 deletions ilc/server/tailor/parse-override-config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,17 +42,23 @@ const isTrustedOrigin = (link, trustedOrigins) => {
});
};

const sanitizeSpoofedLinks = (obj, trustedOrigins) => {
const sanitizeSpoofedLinks = (obj, trustedOrigins, logger) => {
Object.entries(obj).forEach(([key, value]) => {
if (_.isPlainObject(value)) {
sanitizeSpoofedLinks(value, trustedOrigins);
sanitizeSpoofedLinks(value, trustedOrigins, logger);
} else if (typeof value === 'string' && isUrl(value.trim())) {
!isPrivateNetwork(value) && !isTrustedOrigin(value, trustedOrigins) && delete obj[key];
if (!isPrivateNetwork(value) && !isTrustedOrigin(value, trustedOrigins)) {
if (logger) {
logger.warn(`Sanitized untrusted url from override config. key = ${key}, value = ${value}`);
}

delete obj[key];
}
}
});
};

module.exports = (cookie, trustedOrigins) => {
module.exports = (cookie, trustedOrigins, logger) => {
try {
let overrideConfig =
typeof cookie === 'string' && cookie.split(';').find((n) => n.trim().startsWith('ILC-overrideConfig'));
Expand All @@ -75,11 +81,11 @@ module.exports = (cookie, trustedOrigins) => {
typeof trustedOrigins === 'string' && trustedOrigins.split(',').map((n) => n.trim());

if (overrideConfig.apps) {
sanitizeSpoofedLinks(overrideConfig.apps, parsedTrustedOrigin);
sanitizeSpoofedLinks(overrideConfig.apps, parsedTrustedOrigin, logger);
}

if (overrideConfig.sharedLibs) {
sanitizeSpoofedLinks(overrideConfig.sharedLibs, parsedTrustedOrigin);
sanitizeSpoofedLinks(overrideConfig.sharedLibs, parsedTrustedOrigin, logger);
}
}

Expand Down
7 changes: 6 additions & 1 deletion ilc/server/tailor/parse-override-config.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { expect } from 'chai';
import sinon from 'sinon';
const LZUTF8 = require('lzutf8');
const parseOverrideConfig = require('./parse-override-config');

Expand Down Expand Up @@ -283,8 +284,12 @@ describe('overrideConfig', () => {
it('should sanitize domain names', async () => {
const ip = 'foo.com';
const exampleCookies = getExampleCookies(ip);
const logger = {
warn: sinon.spy(),
};

expect(parseOverrideConfig(exampleCookies)).deep.equal(getSanitizedObject());
expect(parseOverrideConfig(exampleCookies, undefined, logger)).deep.equal(getSanitizedObject());
expect(logger.warn.called).to.be.true;
});

it('should sanitize url w/ spaces', async () => {
Expand Down
Loading