satellite/console: Filter new characters out of user input

HTML and JS escape user input for create and update user. Change-Id: I91d972f454341a5a7f333d006a87c6f854595490
2023-01-23 14:23:32 -05:00 · 2023-01-23 14:23:32 -05:00 · 7c152f7ea0
commit 7c152f7ea0
parent a53849f874
2 changed files with 16 additions and 7 deletions
--- a/satellite/console/consoleweb/consoleapi/auth.go
+++ b/satellite/console/consoleweb/consoleapi/auth.go
@ -6,6 +6,7 @@ package consoleapi
 import (
 	"encoding/json"
 	"errors"
+	"html/template"
 	"net/http"
 	"regexp"
 	"strings"
@ -165,9 +166,11 @@ func (a *Auth) Logout(w http.ResponseWriter, r *http.Request) {
 	a.cookieAuth.RemoveTokenCookie(w)
 }

-// replaceURLCharacters replaces slash, colon, and dot characters in a string with a hyphen.
-func replaceURLCharacters(s string) string {
+// replaceSpecialCharacters replaces characters that could be used to represent a url or html.
+func replaceSpecialCharacters(s string) string {
 	re := regexp.MustCompile(`[\/:\.]`)
+	s = template.HTMLEscapeString(s)
+	s = template.JSEscapeString(s)
 	return re.ReplaceAllString(s, "-")
 }

@ -225,9 +228,13 @@ func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// remove special characters from submitted name so that malicious link cannot be injected into verification or password reset emails.
-	registerData.FullName = replaceURLCharacters(registerData.FullName)
-	registerData.ShortName = replaceURLCharacters(registerData.ShortName)
+	// remove special characters from submitted info so that malicious link or code cannot be injected anywhere.
+	registerData.FullName = replaceSpecialCharacters(registerData.FullName)
+	registerData.ShortName = replaceSpecialCharacters(registerData.ShortName)
+	registerData.Partner = replaceSpecialCharacters(registerData.Partner)
+	registerData.Position = replaceSpecialCharacters(registerData.Position)
+	registerData.CompanyName = replaceSpecialCharacters(registerData.CompanyName)
+	registerData.EmployeeCount = replaceSpecialCharacters(registerData.EmployeeCount)

 	if len([]rune(registerData.Partner)) > 100 {
 		a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Partner must be less than or equal to 100 characters")))
@ -427,6 +434,8 @@ func (a *Auth) UpdateAccount(w http.ResponseWriter, r *http.Request) {
 		a.serveJSONError(w, err)
 		return
 	}
+	updatedInfo.FullName = replaceSpecialCharacters(updatedInfo.FullName)
+	updatedInfo.ShortName = replaceSpecialCharacters(updatedInfo.ShortName)

 	if err = a.service.UpdateAccount(ctx, updatedInfo.FullName, updatedInfo.ShortName); err != nil {
 		a.serveJSONError(w, err)
--- a/satellite/console/consoleweb/consoleapi/auth_test.go
+++ b/satellite/console/consoleweb/consoleapi/auth_test.go
@ -754,8 +754,8 @@ func TestAuth_Register_NameSpecialChars(t *testing.T) {
 			},
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
-		inputName := "The website has been changed to https://evil.com/login.html - Enter Login Details,"
-		filteredName := "The website has been changed to https---evil-com-login-html - Enter Login Details,"
+		inputName := "The website has been changed to https://evil.com/login.html<> - Enter Login ' \" Details,"
+		filteredName := "The website has been changed to https---evil-com-login-html\\u0026lt;\\u0026gt; - Enter Login \\u0026#39; \\u0026#34; Details,"
 		email := "user@mail.test"
 		registerData := struct {
 			FullName  string `json:"fullName"`