fix: Mustache.escape fix #85

prakash100198 · 2024-10-08T14:56:53Z

No description provided.

src/destination/destinationHandlers/webhookHandler.ts

@@ -113,10 +113,10 @@
            if (event.eventTypeId == EVENT_TYPE.ScoopNotification){
                const date = moment(event.eventTime);
                event.payload.scoopNotificationConfig.data.interceptedAt = date.unix();
-                jsons = Mustache.render(Mustache.escape(template), event.payload.scoopNotificationConfig.data);
+                jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data);


To fix the problem, we need to ensure that the template used in Mustache.render is sanitized and validated before rendering. This can be achieved by:

Validating the template to ensure it does not contain any malicious code.

Using a safe method to pass user input into the template rendering process.

The best way to fix this without changing existing functionality is to use context-specific escaping and validation for the template before rendering it with Mustache.

src/destination/destinationHandlers/webhookHandler.ts

            }else {
                let parsedEvent = this.mh.parseEventForWebhook(event as Event);
-                jsons = Mustache.render(Mustache.escape(template), parsedEvent);
+                jsons = Mustache.render(template, parsedEvent);


To fix the problem, we need to ensure that the template used in Mustache.render is sanitized and validated before rendering. This can be achieved by escaping any potentially dangerous characters in the user-provided input. Additionally, we should validate the structure of the template to ensure it conforms to expected patterns.

Sanitize the template: Use a library like DOMPurify to sanitize the template string.

Validate the template: Ensure the template conforms to expected patterns and does not contain any unexpected or dangerous content.

Mustache.escape fix

86b265e

vikramdevtron previously approved these changes Oct 8, 2024

View reviewed changes

vikramdevtron self-requested a review October 8, 2024 16:29

Mustache.escape fix in smtp, webhook, and slack

94b43e9

prakash100198 dismissed vikramdevtron’s stale review via 94b43e9 October 9, 2024 07:33

vivek-devtron approved these changes Oct 9, 2024

View reviewed changes

github-advanced-security bot found potential problems Oct 9, 2024

View reviewed changes

Shivam-nagar23 approved these changes Oct 9, 2024

View reviewed changes

prakash100198 merged commit 133c887 into main Oct 9, 2024
3 of 4 checks passed

@@ -115,6 +115,6 @@
                             event.payload.scoopNotificationConfig.data.interceptedAt = date.unix();
-                            jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data);
+                            jsons = Mustache.render(this.sanitizeTemplate(template), event.payload.scoopNotificationConfig.data);
                         }else {
                             let parsedEvent = this.mh.parseEventForWebhook(event as Event);
-                            jsons = Mustache.render(template, parsedEvent);
+                            jsons = Mustache.render(this.sanitizeTemplate(template), parsedEvent);
                         }
@@ -136,2 +136,9 @@
+                private sanitizeTemplate(template: string): string {
+                    // Implement template sanitization logic here
+                    // For example, remove any potentially dangerous code or characters
+                    // This is a placeholder implementation
+                    return template.replace(/<script.*?>.*?<\/script>/gi, '');
+                }
                 private saveNotificationEventSuccessLog(result: any, event: Event, p: any, setting: NotificationSettings) {

@@ -20,2 +20,3 @@
             import Mustache from 'mustache';
+            import DOMPurify from 'dompurify';
             import { EventLogBuilder } from "../../common/eventLogBuilder";
@@ -115,6 +116,8 @@
                             event.payload.scoopNotificationConfig.data.interceptedAt = date.unix();
-                            jsons = Mustache.render(template, event.payload.scoopNotificationConfig.data);
+                            const sanitizedTemplate = DOMPurify.sanitize(template);
+                            jsons = Mustache.render(sanitizedTemplate, event.payload.scoopNotificationConfig.data);
                         }else {
                             let parsedEvent = this.mh.parseEventForWebhook(event as Event);
-                            jsons = Mustache.render(template, parsedEvent);
+                            const sanitizedTemplate = DOMPurify.sanitize(template);
+                            jsons = Mustache.render(sanitizedTemplate, parsedEvent);
                         }

@@ -41,3 +41,4 @@
                     "typeorm": "0.3.17",
-                    "winston": "^3.2.1"
+                    "winston": "^3.2.1",
+                    "dompurify": "^3.1.7"
                 },

Package	Version	Security advisories
dompurify (npm)	3.1.7	None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Mustache.escape fix #85

fix: Mustache.escape fix #85

prakash100198 commented Oct 8, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

fix: Mustache.escape fix #85

fix: Mustache.escape fix #85

Conversation

prakash100198 commented Oct 8, 2024