From 657a3d7aa845fa8bed0e55d2d97932d442e45567 Mon Sep 17 00:00:00 2001
From: Peter Somogyvari <peter.somogyvari@accenture.com>
Date: Tue, 5 Dec 2023 22:28:49 +0000
Subject: [PATCH] fix(cactus-common): coerceUnknownToError() now uses HTML
 sanitize

1. This is a security fix so that the exception serialization does not
accidentally XSS anybody who is looking at crash logs through some
admin GUI that is designed to show logs that are considered trusted.
2. The yarn.lock file seems to have gotten out of date by accident again
so I'm also sneaking in that as an update here just to get the fix in
ASAP and without burning too much on CI execution costs.

Related discussion about `1)` can be seen at this other pull request:
https://github.com/hyperledger/cacti/pull/2893

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
(cherry picked from commit 7cf4a73e1e27e92869c6d813cb25e377f14cb20b)
---
 .../exception/coerce-unknown-to-error.ts      |  6 ++-
 yarn.lock                                     | 41 -------------------
 2 files changed, 4 insertions(+), 43 deletions(-)

diff --git a/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts b/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts
index cc1e6f2419b..bdb92322522 100644
--- a/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts
+++ b/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts
@@ -1,4 +1,5 @@
 import stringify from "fast-safe-stringify";
+import sanitizeHtml from "sanitize-html";
 import { ErrorFromUnknownThrowable } from "./error-from-unknown-throwable";
 import { ErrorFromSymbol } from "./error-from-symbol";
 
@@ -26,10 +27,11 @@ export function coerceUnknownToError(x: unknown): Error {
   } else if (x instanceof Error) {
     return x;
   } else {
-    const xAsJson = stringify(x, (_, value) =>
+    const xAsJsonUnsafe = stringify(x, (_, value) =>
       typeof value === "bigint" ? value.toString() + "n" : value,
     );
-    return new ErrorFromUnknownThrowable(xAsJson);
+    const xAsJsonSanitized = sanitizeHtml(xAsJsonUnsafe);
+    return new ErrorFromUnknownThrowable(xAsJsonSanitized);
   }
 }
 
diff --git a/yarn.lock b/yarn.lock
index 634645b8e4b..2cef6b94cea 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -9811,7 +9811,6 @@ __metadata:
   version: 5.14.19
   resolution: "@mui/core-downloads-tracker@npm:5.14.19"
   checksum: e71c886f12bbd83791638545017c0b8439c3c6b51125979fea105f938f2f5b109629d4deddd38448c05b8be10b3249334324f1505c1306c52a2b8d315a1005c3
-<<<<<<< HEAD
   languageName: node
   linkType: hard
 
@@ -9836,32 +9835,6 @@ __metadata:
   resolution: "@mui/material@npm:5.14.19"
   dependencies:
     "@babel/runtime": ^7.23.4
-=======
-  languageName: node
-  linkType: hard
-
-"@mui/icons-material@npm:^5.14.19":
-  version: 5.14.19
-  resolution: "@mui/icons-material@npm:5.14.19"
-  dependencies:
-    "@babel/runtime": ^7.23.4
-  peerDependencies:
-    "@mui/material": ^5.0.0
-    "@types/react": ^17.0.0 || ^18.0.0
-    react: ^17.0.0 || ^18.0.0
-  peerDependenciesMeta:
-    "@types/react":
-      optional: true
-  checksum: 31182d4c3416e76c868544d3f604b7d2ef32b59e0445e0b3a794118c55be1e62a24c2f7ed3ae6f46356bd21b913e01a5b0a46d23a897ea7646fb0ee36134dee0
-  languageName: node
-  linkType: hard
-
-"@mui/material@npm:^5.14.19":
-  version: 5.14.19
-  resolution: "@mui/material@npm:5.14.19"
-  dependencies:
-    "@babel/runtime": ^7.23.4
->>>>>>> c1ad57262143868cf2b6301f25b2c78c082926e6
     "@mui/base": 5.0.0-beta.25
     "@mui/core-downloads-tracker": ^5.14.19
     "@mui/system": ^5.14.19
@@ -13601,19 +13574,6 @@ __metadata:
 "@types/react-dom@npm:^18.0.0, @types/react-dom@npm:^18.2.17":
   version: 18.2.17
   resolution: "@types/react-dom@npm:18.2.17"
-<<<<<<< HEAD
-  dependencies:
-    "@types/react": "*"
-  checksum: 7a4e704ed4be6e0c3ccd8a22ff69386fe548304bf4db090513f42e059ff4c65f7a427790320051524d6578a2e4c9667bb7a80a4c989b72361c019fbe851d9385
-  languageName: node
-  linkType: hard
-
-"@types/react-transition-group@npm:^4.4.9":
-  version: 4.4.9
-  resolution: "@types/react-transition-group@npm:4.4.9"
-  dependencies:
-    "@types/react": "*"
-=======
   dependencies:
     "@types/react": "*"
   checksum: 7a4e704ed4be6e0c3ccd8a22ff69386fe548304bf4db090513f42e059ff4c65f7a427790320051524d6578a2e4c9667bb7a80a4c989b72361c019fbe851d9385
@@ -13625,7 +13585,6 @@ __metadata:
   resolution: "@types/react-transition-group@npm:4.4.9"
   dependencies:
     "@types/react": "*"
->>>>>>> c1ad57262143868cf2b6301f25b2c78c082926e6
   checksum: be9e256e53919a7cf3b4a075f6d01c0a2dd3a67911dd28276aa6158be4beade4ca5327cbf1f096c28b413e04989f069122319b02e5a09c280d903a0accea9ead
   languageName: node
   linkType: hard