satellite/console: Filter new characters out of user input

mobyvb · Storj Robot · commit 7c152f7ea06f · 2023-01-25T22:52:37.000Z
HTML and JS escape user input for create and update user.

Change-Id: I91d972f454341a5a7f333d006a87c6f854595490
diff --git a/satellite/console/consoleweb/consoleapi/auth.go b/satellite/console/consoleweb/consoleapi/auth.go
@@ -6,6 +6,7 @@ package consoleapi
 import (
 	"encoding/json"
 	"errors"
+	"html/template"
 	"net/http"
 	"regexp"
 	"strings"
@@ -165,9 +166,11 @@ func (a *Auth) Logout(w http.ResponseWriter, r *http.Request) {
 	a.cookieAuth.RemoveTokenCookie(w)
 }
 
-// replaceURLCharacters replaces slash, colon, and dot characters in a string with a hyphen.
-func replaceURLCharacters(s string) string {
+// replaceSpecialCharacters replaces characters that could be used to represent a url or html.
+func replaceSpecialCharacters(s string) string {
 	re := regexp.MustCompile(`[\/:\.]`)
+	s = template.HTMLEscapeString(s)
+	s = template.JSEscapeString(s)
 	return re.ReplaceAllString(s, "-")
 }
 
@@ -225,9 +228,13 @@ func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// remove special characters from submitted name so that malicious link cannot be injected into verification or password reset emails.
-	registerData.FullName = replaceURLCharacters(registerData.FullName)
-	registerData.ShortName = replaceURLCharacters(registerData.ShortName)
+	// remove special characters from submitted info so that malicious link or code cannot be injected anywhere.
+	registerData.FullName = replaceSpecialCharacters(registerData.FullName)
+	registerData.ShortName = replaceSpecialCharacters(registerData.ShortName)
+	registerData.Partner = replaceSpecialCharacters(registerData.Partner)
+	registerData.Position = replaceSpecialCharacters(registerData.Position)
+	registerData.CompanyName = replaceSpecialCharacters(registerData.CompanyName)
+	registerData.EmployeeCount = replaceSpecialCharacters(registerData.EmployeeCount)
 
 	if len([]rune(registerData.Partner)) > 100 {
 		a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Partner must be less than or equal to 100 characters")))
@@ -427,6 +434,8 @@ func (a *Auth) UpdateAccount(w http.ResponseWriter, r *http.Request) {
 		a.serveJSONError(w, err)
 		return
 	}
+	updatedInfo.FullName = replaceSpecialCharacters(updatedInfo.FullName)
+	updatedInfo.ShortName = replaceSpecialCharacters(updatedInfo.ShortName)
 
 	if err = a.service.UpdateAccount(ctx, updatedInfo.FullName, updatedInfo.ShortName); err != nil {
 		a.serveJSONError(w, err)
diff --git a/satellite/console/consoleweb/consoleapi/auth_test.go b/satellite/console/consoleweb/consoleapi/auth_test.go
@@ -754,8 +754,8 @@ func TestAuth_Register_NameSpecialChars(t *testing.T) {
 			},
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
-		inputName := "The website has been changed to https://evil.com/login.html - Enter Login Details,"
-		filteredName := "The website has been changed to https---evil-com-login-html - Enter Login Details,"
+		inputName := "The website has been changed to https://evil.com/login.html<> - Enter Login ' \" Details,"
+		filteredName := "The website has been changed to https---evil-com-login-html\\u0026lt;\\u0026gt; - Enter Login \\u0026#39; \\u0026#34; Details,"
 		email := "user@mail.test"
 		registerData := struct {
 			FullName  string `json:"fullName"`
