Fix: javascript injection (#925)

microsoftgraph · Apr 13, 2021 · 94bf808 · 94bf808
1 parent 3fb99df
commit 94bf808
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 4 deletions.
diff --git a/src/app/utils/external-link-validation.ts b/src/app/utils/external-link-validation.ts
@@ -4,7 +4,7 @@ import { IQuery } from '../../types/query-runner';
 import { sanitizeQueryUrl } from './query-url-sanitization';
 
 export async function validateExternalLink(url: string, componentName: string,
-  sampleId: string | null = null,  sampleQuery: IQuery | null = null): Promise<void> {
+  sampleId: string | null = null, sampleQuery: IQuery | null = null): Promise<void> {
   await fetch(url)
     .then(response => {
       if (!response.ok) {
@@ -26,4 +26,16 @@ export async function validateExternalLink(url: string, componentName: string,
       }
       telemetry.trackException(new Error(errorTypes.LINK_ERROR), SeverityLevel.Error, properties);
     });
-}
+}
+
+export function isValidHttpsUrl(value: string) {
+  let url;
+
+  try {
+    url = new URL(value);
+  } catch (_) {
+    return false;
+  }
+
+  return url.protocol === 'https:';
+}
diff --git a/src/index.tsx b/src/index.tsx
@@ -20,6 +20,7 @@ import { addHistoryItem } from './app/services/actions/request-history-action-cr
 import { changeThemeSuccess } from './app/services/actions/theme-action-creator';
 import { msalApplication } from './app/services/graph-client/msal-agent';
 import { DEFAULT_USER_SCOPES } from './app/services/graph-constants';
+import { isValidHttpsUrl } from './app/utils/external-link-validation';
 import App from './app/views/App';
 import { readHistoryData } from './app/views/sidebar/history/history-utils';
 import { geLocale } from './appLocale';
@@ -30,9 +31,9 @@ import { telemetry } from './telemetry';
 import ITelemetry from './telemetry/ITelemetry';
 import { loadGETheme } from './themes';
 import { readTheme } from './themes/theme-utils';
+import { IDevxAPI } from './types/devx-api';
 import { Mode } from './types/enums';
 import { IHistoryItem } from './types/history';
-import { IDevxAPI } from './types/devx-api';
 
 // removes the loading spinner from GE html after the app is loaded
 const spinner = document.getElementById('spinner');
@@ -107,7 +108,7 @@ if (theme) {
 
 const devxApiUrl = new URLSearchParams(location.search).get('devx-api');
 
-if (devxApiUrl) {
+if (devxApiUrl && isValidHttpsUrl(devxApiUrl)) {
   const org = new URLSearchParams(location.search).get('org');
   const branchName = new URLSearchParams(location.search).get('branchName');
 

diff --git a/src/tests/utils/external-link-validation.spec.ts b/src/tests/utils/external-link-validation.spec.ts
@@ -0,0 +1,21 @@
+import { isValidHttpsUrl } from "../../app/utils/external-link-validation";
+
+describe('External link', () => {
+  const links = [
+    {
+      url: 'data:,%20{%22sampleQueries%22:[{%22id%22:%22%22,%22category%22:%22TEST%20%22,%22method%22:%22GET%22,%22humanName%22:%22CLICK%20HERE%20-%20%3E%22,%22requestUrl%22:%22/v1.0/me/%22,%22docLink%20%22:%22javascript:alert(document.domain)%22,%22headers%22:null,%22tip%22:null,%20%22postBody%22:null,%22skipTest%22:false}]}%23',
+      result: false
+    },
+    {
+      url: 'https://aka.ms/appTemplateAPISurvey',
+      result: true
+    }
+  ];
+
+  links.forEach(link => {
+    it(`url should return ${link.result}`, () => {
+      const isValid = isValidHttpsUrl(link.url);
+      expect(isValid).toEqual(link.result);
+    });
+  });
+});