#2926 - Détection de code HTML entrant dans nos APIs

back/src/adapters/primary/routers/security.e2e.test.ts

@@ -0,0 +1,115 @@
+import {
+  AgencyDtoBuilder,
+  ConventionDtoBuilder,
+  UnauthenticatedConventionRoutes,
+  expectHttpResponseToEqual,
+  unauthenticatedConventionRoutes,
+} from "shared";
+import { HttpClient } from "shared-routes";
+import { createSupertestSharedClient } from "shared-routes/supertest";
+import { AppConfigBuilder } from "../../../utils/AppConfigBuilder";
+import { InMemoryGateways, buildTestApp } from "../../../utils/buildTestApp";
+
+describe("security e2e", () => {
+  const peAgency = new AgencyDtoBuilder().withKind("pole-emploi").build();
+
+  const convention = new ConventionDtoBuilder()
+    .withAgencyId(peAgency.id)
+    .withFederatedIdentity({ provider: "peConnect", token: "some-id" })
+    .build();
+
+  let unauthenticatedRequest: HttpClient<UnauthenticatedConventionRoutes>;
+  let gateways: InMemoryGateways;
+
+  beforeEach(async () => {
+    const testApp = await buildTestApp(new AppConfigBuilder().build());
+    const request = testApp.request;
+
+    ({ gateways } = testApp);
+
+    unauthenticatedRequest = createSupertestSharedClient(
+      unauthenticatedConventionRoutes,
+      request,
+    );
+
+    gateways.timeGateway.defaultDate = new Date();
+  });
+
+  describe("check request body for HTML", () => {
+    it("400 - should throw an error if a request (POST) body parameter contains HTML", async () => {
+      const response = await unauthenticatedRequest.createConvention({
+        body: {
+          convention: {
+            ...convention,
+            businessName: "<script>alert('XSS')</script>",
+          },
+        },
+      });
+
+      expectHttpResponseToEqual(response, {
+        body: {
+          status: 400,
+          message: "Invalid request body",
+        },
+        status: 400,
+      });
+    });
+
+    it("200 - should not throw an error if a request (POST) body parameter does not contain HTML", async () => {
+      const response = await unauthenticatedRequest.createConvention({
+        body: {
+          convention: {
+            ...convention,
+            businessName: "L'amie > caline !",
+          },
+        },
+      });
+
+      expectHttpResponseToEqual(response, {
+        body: {
+          id: convention.id,
+        },
+        status: 200,
+      });
+    });
+
+    it("400 - should throw an error if a request (GET) query parameter contains HTML", async () => {
+      const response = await unauthenticatedRequest.findSimilarConventions({
+        queryParams: {
+          beneficiaryBirthdate: "1990-01-01",
+          beneficiaryLastName: "<script>alert('XSS')</script>",
+          codeAppellation: "1234567890",
+          dateStart: "2021-01-01",
+          siret: "12345678901234",
+        },
+      });
+
+      expectHttpResponseToEqual(response, {
+        body: {
+          status: 400,
+          message: "Invalid request body",
+        },
+        status: 400,
+      });
+    });
+
+    it("200 - should not throw an error if a request (GET) query parameter does not contain HTML", async () => {
+      const response = await unauthenticatedRequest.findSimilarConventions({
+        queryParams: {
+          beneficiaryBirthdate: "1990-01-01",
+          beneficiaryLastName: "Bon<<eau",
+          codeAppellation: "11573",
+          dateStart: "2021-01-01",
+          siret: "12345678901234",
+        },
+      });
+
+      expectHttpResponseToEqual(response, {
+        body: {
+          similarConventionIds: [],
+        },
+        status: 200,
+      });
+    });
+  });
+});

back/src/config/bootstrap/detectHtmlInParamsMiddleware.ts

@@ -0,0 +1,26 @@
+import { NextFunction, Request, Response } from "express";
+import { doesObjectContainsHTML, technicalRoutes } from "shared";
+
+const excludedRoutes: string[] = [
+  technicalRoutes.htmlToPdf.url,
+  technicalRoutes.inboundEmailParsing.url,
+];
+
+export const detectHtmlInParamsMiddleware = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  if (!excludedRoutes.includes(req.originalUrl)) {
+    if (
+      (req.body && doesObjectContainsHTML(req.body)) ||
+      (req.query && doesObjectContainsHTML(req.query))
+    ) {
+      return res.status(400).json({
+        status: 400,
+        message: "Invalid request body",
+      });
+    }
+  }
+  next();
+};

back/src/config/bootstrap/server.ts

@@ -31,6 +31,7 @@ import { legacyCreateLogger } from "../../utils/logger";
 import { AppConfig } from "./appConfig";
 import { createAppDependencies } from "./createAppDependencies";
 import { Gateways } from "./createGateways";
+import { detectHtmlInParamsMiddleware } from "./detectHtmlInParamsMiddleware";
 import { startCrawler } from "./startCrawler";
 
 const logger = legacyCreateLogger(__filename);
@@ -74,7 +75,7 @@ export const createApp = async (
       } else next();
     });
   });
-
+  app.use(detectHtmlInParamsMiddleware);
   const deps = await createAppDependencies(config);
 
   app.use(createSearchRouter(deps));

front/src/core-logic/adapters/Convention/HttpConventionGateway.ts

@@ -123,6 +123,7 @@ export class HttpConventionGateway implements ConventionGateway {
         .then((response) =>
           match(response)
             .with({ status: 200 }, ({ body }) => body.similarConventionIds)
+            .with({ status: 400 }, throwBadRequestWithExplicitMessage)
             .otherwise(otherwiseThrow),
         ),
     );

shared/src/convention/convention.routes.ts

@@ -143,6 +143,7 @@ export const unauthenticatedConventionRoutes = defineRoutes({
     queryParamsSchema: findSimilarConventionsParamsSchema,
     responses: {
       200: findSimilarConventionsResponseSchema,
+      400: httpErrorSchema,
     },
   }),
 });

shared/src/utils/string.ts

@@ -1,3 +1,5 @@
+import { values } from "ramda";
+
 export const capitalize = (str: string): string =>
   str[0].toUpperCase() + str.slice(1);
 
@@ -45,3 +47,21 @@ export const removeSpaces = (str: string) => str.replace(/\s/g, "");
 
 export const isStringEmpty = (str: string) =>
   str !== "" && str.trim().length === 0;
+
+export const doesStringContainsHTML = (possiblyHtmlString: string): boolean => {
+  const htmlRegex =
+    /(?:<[!]?(?:(?:[a-z][a-z0-9-]{0,1000})|(?:!--[\s\S]{0,1000}?--))(?:\s{0,1000}[^>]{0,1000})?>\s{0,1000})|(?:<!--)/i;
+  return htmlRegex.test(possiblyHtmlString);
+};
+
+export const doesObjectContainsHTML = (obj: object): boolean => {
+  const browseObjectProps = (hasHtml: boolean, value: unknown): boolean => {
+    if (hasHtml) return true;
+    if (typeof value === "string") return doesStringContainsHTML(value);
+    if (typeof value === "object" && value !== null) {
+      return values(value).reduce(browseObjectProps, false);
+    }
+    return false;
+  };
+  return values(obj).reduce(browseObjectProps, false);
+};

shared/src/utils/string.unit.test.ts

@@ -1,5 +1,6 @@
 import {
   cleanStringToHTMLAttribute,
+  doesStringContainsHTML,
   looksLikeSiret,
   removeDiacritics,
   slugify,
@@ -111,4 +112,18 @@ describe("string utils", () => {
       },
     );
   });
+
+  describe("doesStringContainsHTML", () => {
+    it.each([
+      ["<script>alert('XSS')</script>", true],
+      ["some content with a <a href='example.com'>link</a>", true],
+      ["some content with a <!-- beginning of html comment", true],
+      ["some content with a <!-- html comment -->", true],
+      ["some content with an --> ending of html comment", false],
+      ["some content with an < open tag", false],
+      ["> < emoji ?", false],
+    ])(`should return true for "%s"`, (input, expected) => {
+      expect(doesStringContainsHTML(input)).toBe(expected);
+    });
+  });
 });