fix(cactus-common): coerceUnknownToError() now uses HTML sanitize

1. This is a security fix so that the exception serialization does not accidentally XSS anybody who is looking at crash logs through some admin GUI that is designed to show logs that are considered trusted. 2. The yarn.lock file seems to have gotten out of date by accident again so I'm also sneaking in that as an update here just to get the fix in ASAP and without burning too much on CI execution costs. Related discussion about `1)` can be seen at this other pull request: hyperledger-cacti#2893 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com> (cherry picked from commit 7cf4a73)
petermetz · Jan 9, 2024 · d95e8b6 · d95e8b6
1 parent 9a3af72
commit d95e8b6
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts b/packages/cactus-common/src/main/typescript/exception/coerce-unknown-to-error.ts
@@ -1,4 +1,5 @@
 import stringify from "fast-safe-stringify";
+import sanitizeHtml from "sanitize-html";
 import { ErrorFromUnknownThrowable } from "./error-from-unknown-throwable";
 import { ErrorFromSymbol } from "./error-from-symbol";
 
@@ -26,10 +27,11 @@ export function coerceUnknownToError(x: unknown): Error {
   } else if (x instanceof Error) {
     return x;
   } else {
-    const xAsJson = stringify(x, (_, value) =>
+    const xAsJsonUnsafe = stringify(x, (_, value) =>
       typeof value === "bigint" ? value.toString() + "n" : value,
     );
-    return new ErrorFromUnknownThrowable(xAsJson);
+    const xAsJsonSanitized = sanitizeHtml(xAsJsonUnsafe);
+    return new ErrorFromUnknownThrowable(xAsJsonSanitized);
   }
 }