Skip to content

Commit

Permalink
fix(cactus-common): coerceUnknownToError() now uses HTML sanitize
Browse files Browse the repository at this point in the history 
1. This is a security fix so that the exception serialization does not
accidentally XSS anybody who is looking at crash logs through some
admin GUI that is designed to show logs that are considered trusted.
2. The yarn.lock file seems to have gotten out of date by accident again
so I'm also sneaking in that as an update here just to get the fix in
ASAP and without burning too much on CI execution costs.

Related discussion about `1)` can be seen at this other pull request:
hyperledger-cacti#2893

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
  • Loading branch information
@petermetz
petermetz committed Dec 5, 2023
1 parent 358861d commit 7cf4a73
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 43 deletions.
6 changes: 4 additions & 2 deletions packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import stringify from "fast-safe-stringify";
import sanitizeHtml from "sanitize-html";
import { ErrorFromUnknownThrowable } from "./error-from-unknown-throwable";
import { ErrorFromSymbol } from "./error-from-symbol";

Expand Down Expand Up @@ -26,10 +27,11 @@ export function coerceUnknownToError(x: unknown): Error {
} else if (x instanceof Error) {
return x;
} else {
const xAsJson = stringify(x, (_, value) =>
const xAsJsonUnsafe = stringify(x, (_, value) =>
typeof value === "bigint" ? value.toString() + "n" : value,
);
return new ErrorFromUnknownThrowable(xAsJson);
const xAsJsonSanitized = sanitizeHtml(xAsJsonUnsafe);
return new ErrorFromUnknownThrowable(xAsJsonSanitized);
}
}

Expand Down
41 changes: 0 additions & 41 deletions yarn.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9811,7 +9811,6 @@ __metadata:
version: 5.14.19
resolution: "@mui/core-downloads-tracker@npm:5.14.19"
checksum: e71c886f12bbd83791638545017c0b8439c3c6b51125979fea105f938f2f5b109629d4deddd38448c05b8be10b3249334324f1505c1306c52a2b8d315a1005c3
<<<<<<< HEAD
languageName: node
linkType: hard

Expand All @@ -9836,32 +9835,6 @@ __metadata:
resolution: "@mui/material@npm:5.14.19"
dependencies:
"@babel/runtime": ^7.23.4
=======
languageName: node
linkType: hard

"@mui/icons-material@npm:^5.14.19":
version: 5.14.19
resolution: "@mui/icons-material@npm:5.14.19"
dependencies:
"@babel/runtime": ^7.23.4
peerDependencies:
"@mui/material": ^5.0.0
"@types/react": ^17.0.0 || ^18.0.0
react: ^17.0.0 || ^18.0.0
peerDependenciesMeta:
"@types/react":
optional: true
checksum: 31182d4c3416e76c868544d3f604b7d2ef32b59e0445e0b3a794118c55be1e62a24c2f7ed3ae6f46356bd21b913e01a5b0a46d23a897ea7646fb0ee36134dee0
languageName: node
linkType: hard

"@mui/material@npm:^5.14.19":
version: 5.14.19
resolution: "@mui/material@npm:5.14.19"
dependencies:
"@babel/runtime": ^7.23.4
>>>>>>> c1ad57262143868cf2b6301f25b2c78c082926e6
"@mui/base": 5.0.0-beta.25
"@mui/core-downloads-tracker": ^5.14.19
"@mui/system": ^5.14.19
Expand Down Expand Up @@ -13601,19 +13574,6 @@ __metadata:
"@types/react-dom@npm:^18.0.0, @types/react-dom@npm:^18.2.17":
version: 18.2.17
resolution: "@types/react-dom@npm:18.2.17"
<<<<<<< HEAD
dependencies:
"@types/react": "*"
checksum: 7a4e704ed4be6e0c3ccd8a22ff69386fe548304bf4db090513f42e059ff4c65f7a427790320051524d6578a2e4c9667bb7a80a4c989b72361c019fbe851d9385
languageName: node
linkType: hard

"@types/react-transition-group@npm:^4.4.9":
version: 4.4.9
resolution: "@types/react-transition-group@npm:4.4.9"
dependencies:
"@types/react": "*"
=======
dependencies:
"@types/react": "*"
checksum: 7a4e704ed4be6e0c3ccd8a22ff69386fe548304bf4db090513f42e059ff4c65f7a427790320051524d6578a2e4c9667bb7a80a4c989b72361c019fbe851d9385
Expand All @@ -13625,7 +13585,6 @@ __metadata:
resolution: "@types/react-transition-group@npm:4.4.9"
dependencies:
"@types/react": "*"
>>>>>>> c1ad57262143868cf2b6301f25b2c78c082926e6
checksum: be9e256e53919a7cf3b4a075f6d01c0a2dd3a67911dd28276aa6158be4beade4ca5327cbf1f096c28b413e04989f069122319b02e5a09c280d903a0accea9ead
languageName: node
linkType: hard
Expand Down

0 comments on commit 7cf4a73

Please sign in to comment.