From 79c5a23831768c7851068454569675a64184d9f5 Mon Sep 17 00:00:00 2001 From: Pranav C Date: Mon, 13 May 2024 15:33:50 +0000 Subject: [PATCH 1/2] fix: sanitise workspace/base name in invite email --- .../services/base-users/base-users.service.ts | 13 ++++++++----- packages/nocodb/src/utils/emailUtils.ts | 19 +++++++++++++++++++ packages/nocodb/src/utils/index.ts | 1 + 3 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 packages/nocodb/src/utils/emailUtils.ts diff --git a/packages/nocodb/src/services/base-users/base-users.service.ts b/packages/nocodb/src/services/base-users/base-users.service.ts index 79fc8e93b6..a15baef5f4 100644 --- a/packages/nocodb/src/services/base-users/base-users.service.ts +++ b/packages/nocodb/src/services/base-users/base-users.service.ts @@ -22,6 +22,7 @@ import { Base, BaseUser, User } from '~/models'; import { MetaTable } from '~/utils/globals'; import { extractProps } from '~/helpers/extractProps'; import { getProjectRolePower } from '~/utils/roleHelper'; +import { sanitiseEmailContent } from '~/utils'; @Injectable() export class BaseUsersService { @@ -361,11 +362,13 @@ export class BaseUsersService { signupLink: `${req.ncSiteUrl}${ Noco.getConfig()?.dashboardPath }#/signup/${token}`, - baseName: req.body?.baseName, - roles: (req.body?.roles || '') - .split(',') - .map((r) => r.replace(/^./, (m) => m.toUpperCase())) - .join(', '), + baseName: sanitiseEmailContent(req.body?.baseName), + roles: sanitiseEmailContent( + (req.body?.roles || '') + .split(',') + .map((r) => r.replace(/^./, (m) => m.toUpperCase())) + .join(', '), + ), adminEmail: req.user?.email, }), }); diff --git a/packages/nocodb/src/utils/emailUtils.ts b/packages/nocodb/src/utils/emailUtils.ts new file mode 100644 index 0000000000..641e304a3e --- /dev/null +++ b/packages/nocodb/src/utils/emailUtils.ts @@ -0,0 +1,19 @@ +// html encode string +const encode = (str) => { + const buf = []; + + for (let i = str.length - 1; i >= 0; i--) { + const encoded = ['&#', str[i].charCodeAt(), ';'].join(''); + buf.unshift(encoded); + } + + return buf.join(''); +}; + +// a method to sanitise content and avoid any link/url injection in email content and html encode special chars +// for example: example.com to be converted as example.com +export const sanitiseEmailContent = (content: string) => { + return content + .replace(/[<>&;?#,'"$]+/g, encode) + .replace(/\.|\/\/:/g, '$&'); +}; diff --git a/packages/nocodb/src/utils/index.ts b/packages/nocodb/src/utils/index.ts index 894ad0af25..9b6d11bdae 100644 --- a/packages/nocodb/src/utils/index.ts +++ b/packages/nocodb/src/utils/index.ts @@ -1,4 +1,5 @@ export * from './dataUtils'; export * from './sanitiseUserObj'; +export * from './emailUtils'; export const isEE = false; From 42bae93508538e22b6c31043280484437dfcdd8c Mon Sep 17 00:00:00 2001 From: Pranav C Date: Tue, 14 May 2024 12:09:01 +0530 Subject: [PATCH 2/2] refactor: simplified version of encode Signed-off-by: Pranav C --- packages/nocodb/src/utils/emailUtils.ts | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/packages/nocodb/src/utils/emailUtils.ts b/packages/nocodb/src/utils/emailUtils.ts index 641e304a3e..bc42407cde 100644 --- a/packages/nocodb/src/utils/emailUtils.ts +++ b/packages/nocodb/src/utils/emailUtils.ts @@ -1,13 +1,9 @@ // html encode string -const encode = (str) => { - const buf = []; - - for (let i = str.length - 1; i >= 0; i--) { - const encoded = ['&#', str[i].charCodeAt(), ';'].join(''); - buf.unshift(encoded); - } - - return buf.join(''); +const encode = (str: string) => { + return str + ?.split('') + .map((char) => `&#${char.charCodeAt(0)};`) + .join(''); }; // a method to sanitise content and avoid any link/url injection in email content and html encode special chars