Fixed XSS vulnerability - sanitized permission action req

src/routers/admin.js

@@ -7,6 +7,7 @@ import { permissionCache } from '../helpers/cache';
 import { responseException } from '../exceptions';
 import * as Services from '../services/admin';
 import { SwitcherKeys } from '../external/switcher-api-facade';
+import { checkActionType } from '../models/permission';
 
 const router = new express.Router();
 
@@ -101,6 +102,7 @@ router.get('/admin/me', auth, async (req, res) => {
 router.post('/admin/collaboration/permission', auth, [
     check('domain', 'Domain Id is required').isMongoId(),
     check('action', 'Array of actions is required').isArray({ min: 1 }),
+    check('action.*').custom(async value => checkActionType([value])),
     check('router', 'Router name is required').isLength({ min: 1 }),
     check('environment').isString().optional()
 ], validate, async (req, res) => {
@@ -124,9 +126,9 @@ router.post('/admin/collaboration/permission', auth, [
         try {
             await verifyOwnership(req.admin, element, req.body.domain, action_perm, 
                 req.body.router, false, req.body.environment);
-            result.push({ action: action_perm.toString(), result: 'ok' });
+            result.push({ action: action_perm, result: 'ok' });
         } catch (e) {
-            result.push({ action : action_perm.toString(), result: 'nok' });
+            result.push({ action : action_perm, result: 'nok' });
         }
     }
 

src/services/config.js

@@ -1,4 +1,3 @@
-import mongoose from 'mongoose';
 import { response } from './common';
 import { Config } from '../models/config';
 import { formatInput, verifyOwnership, checkEnvironmentStatusRemoval } from '../helpers';
@@ -258,15 +257,14 @@ export async function removeComponent(id, args, admin) {
 
 export async function updateComponent(id, args, admin) {
     const config = await verifyAddComponentInput(id, admin);
-    const componentIds = args.components.map(component => new mongoose.Types.ObjectId(component));
-    const components = await getComponents({ _id: { $in: componentIds } });
+    const components = await getComponents({ _id: { $in: args.components } });
 
     if (components.length != args.components.length) {
         throw new NotFoundError('One or more component was not found');
     }
 
     config.updatedBy = admin.email;
-    config.components = componentIds;
+    config.components = args.components;
     await config.save();
     updateDomainVersion(config.domain);
 

tests/admin.test.js

@@ -949,6 +949,22 @@ describe('Testing Admin collaboration endpoint - Reading permissions', () => {
         token = responseLogin.body.jwt.token;
     });
 
+    test('ADMIN_SUITE - Should NOT read permissions given invalid action request', async () => {
+        const response = await request(app)
+            .post('/admin/collaboration/permission')
+            .set('Authorization', `Bearer ${token}`)
+            .send({
+                domain: domainId,
+                action: ['INVALID_ACTION'],
+                router: RouterTypes.GROUP,
+                environment: EnvType.DEFAULT
+            })
+            .expect(422);
+
+        expect(response.body.errors[0].msg).toEqual(
+            'Permission validation failed: action: \'INVALID_ACTION\' is not a valid enum value.');
+    });
+
     test('ADMIN_SUITE - Should read permissions given request - Group', async () => {
         const response = await request(app)
             .post('/admin/collaboration/permission')

tests/config.test.js

@@ -590,7 +590,7 @@ describe('Testing component association', () => {
             }).expect(200);
 
         // DB validation - document updated
-        const config = await Config.findById(configId1).exec()
+        const config = await Config.findById(configId1).exec();
         expect(config.components.includes(responseComponent.body.component._id)).toBe(true);
     });