Merge branch 'bug/fix-XSS-on-event-title' into 'master'

Make sure title is properly sanitized Closes #247 See merge request framasoft/mobilizon!281
2019-10-16 19:17:27 +02:00 · 2019-10-16 19:17:27 +02:00 · 4dcbf85d9a
parent 6b2382c444 8094f1d80a
commit 4dcbf85d9a
3 changed files with 62 additions and 1 deletions
--- a/lib/mobilizon_web/api/events.ex
+++ b/lib/mobilizon_web/api/events.ex
@ -73,7 +73,7 @@ defmodule MobilizonWeb.API.Events do

  defp prepare_args(args) do
    with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor),
-         title <- args |> Map.get(:title, "") |> String.trim(),
+         title <- args |> Map.get(:title, "") |> HtmlSanitizeEx.strip_tags() |> String.trim(),
         visibility <- Map.get(args, :visibility, :public),
         description <- Map.get(args, :description),
         tags <- Map.get(args, :tags),
--- a/test/mobilizon_web/resolvers/event_resolver_test.exs
+++ b/test/mobilizon_web/resolvers/event_resolver_test.exs
@ -119,6 +119,48 @@ defmodule MobilizonWeb.Resolvers.EventResolverTest do
      assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event"
    end

+    test "create_event/3 creates an event and escapes title and description", %{
+      conn: conn,
+      actor: actor,
+      user: user
+    } do
+      mutation = """
+          mutation createEvent($title: String!, $description: String, $begins_on: DateTime, $organizer_actor_id: ID!) {
+              createEvent(
+                  title: $title,
+                  description: $description,
+                  begins_on: $begins_on,
+                  organizer_actor_id: $organizer_actor_id
+              ) {
+                title,
+                description,
+                uuid
+              }
+            }
+      """
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: mutation,
+          variables: %{
+            title:
+              "My Event title <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
+            description:
+              "<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
+            begins_on: DateTime.utc_now() |> DateTime.truncate(:second) |> DateTime.to_iso8601(),
+            organizer_actor_id: "#{actor.id}"
+          }
+        )
+
+      assert res["errors"] == nil
+      assert res["data"]["createEvent"]["title"] == "My Event title"
+
+      assert res["data"]["createEvent"]["description"] ==
+               "<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" />"
+    end
+
    test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do
      mutation = """
          mutation {
--- a/test/support/abinthe_helpers.ex
+++ b/test/support/abinthe_helpers.ex
@ -1,4 +1,7 @@
 defmodule MobilizonWeb.AbsintheHelpers do
+  use Phoenix.ConnTest
+  @endpoint MobilizonWeb.Endpoint
+
  @moduledoc """
  Absinthe helpers for tests
  """
@ -17,4 +20,20 @@ defmodule MobilizonWeb.AbsintheHelpers do
      "variables" => ""
    }
  end
+
+  def graphql_query(conn, options) do
+    conn
+    |> post(
+      "/api",
+      build_query(options[:query], options[:variables])
+    )
+    |> json_response(200)
+  end
+
+  defp build_query(query, variables) do
+    %{
+      "query" => query,
+      "variables" => variables
+    }
+  end
 end