From d4e13aad9750bcf64dec5af1d15f8abe6b157275 Mon Sep 17 00:00:00 2001 From: prafullaAtSB <150028847+prafullaAtSB@users.noreply.github.com> Date: Fri, 13 Dec 2024 17:27:42 +0530 Subject: [PATCH 1/3] added dompurify for sanitization --- package.json | 4 +++- yarn.lock | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index a47076544..513446709 100644 --- a/package.json +++ b/package.json @@ -125,5 +125,7 @@ "@commitlint/config-conventional" ] }, - "dependencies": {} + "dependencies": { + "dompurify": "^3.2.3" + } } diff --git a/yarn.lock b/yarn.lock index e6903d18f..761601953 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8166,6 +8166,11 @@ dependencies: "@types/jest" "*" +"@types/trusted-types@^2.0.7": + version "2.0.7" + resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.7.tgz#baccb07a970b91707df3a3e8ba6896c57ead2d11" + integrity sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw== + "@types/type-is@^1.6.3": version "1.6.3" resolved "https://registry.yarnpkg.com/@types/type-is/-/type-is-1.6.3.tgz#45285b3be846a4afc9d488910a8e4b7bc2e8a169" @@ -11437,6 +11442,13 @@ domhandler@^4.0.0, domhandler@^4.2.0: dependencies: domelementtype "^2.2.0" +dompurify@^3.2.3: + version "3.2.3" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.2.3.tgz#05dd2175225324daabfca6603055a09b2382a4cd" + integrity sha512-U1U5Hzc2MO0oW3DF+G9qYN0aT7atAou4AgI0XjWz061nyBPbdxkfdhfy5uMgGn6+oLFCfn44ZGbdDqCzVmlOWA== + optionalDependencies: + "@types/trusted-types" "^2.0.7" + domutils@^2.5.2, domutils@^2.6.0, domutils@^2.7.0: version "2.8.0" resolved "https://registry.yarnpkg.com/domutils/-/domutils-2.8.0.tgz#4437def5db6e2d1f5d6ee859bd95ca7d02048135" From 504fe5e90fea754662919a62ea61e51d342f67cd Mon Sep 17 00:00:00 2001 From: SB-harshitajadhav Date: Fri, 13 Dec 2024 17:57:52 +0530 Subject: [PATCH 2/3] fix: fix: sanitize path with DOMPurify lib --- .../src/components/TryIt/build-request.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/packages/elements-core/src/components/TryIt/build-request.ts b/packages/elements-core/src/components/TryIt/build-request.ts index 84ce2dd39..b74ed39f0 100644 --- a/packages/elements-core/src/components/TryIt/build-request.ts +++ b/packages/elements-core/src/components/TryIt/build-request.ts @@ -1,4 +1,5 @@ import { Dictionary, HttpParamStyles, IHttpOperation, IMediaTypeContent, IServer } from '@stoplight/types'; +import DOMPurify from 'dompurify'; import { Request as HarRequest } from 'har-format'; import { getServerUrlWithVariableValues, resolveUrl } from '../../utils/http-spec/IServer'; @@ -144,20 +145,23 @@ export async function buildFetchRequest({ credentials = 'omit', corsProxy, }: BuildRequestInput): Promise> { + const sanitizedParameterValues = Object.fromEntries( + Object.entries(parameterValues).map(([key, value]) => [key, DOMPurify.sanitize(value)]), + ); const serverUrl = getServerUrl({ httpOperation, mockData, chosenServer, corsProxy, serverVariableValues }); const shouldIncludeBody = ['PUT', 'POST', 'PATCH'].includes(httpOperation.method.toUpperCase()) && bodyInput !== undefined; - const queryParams = getQueryParams({ httpOperation, parameterValues }); + const queryParams = getQueryParams({ httpOperation, parameterValues: sanitizedParameterValues }); const rawHeaders = filterOutAuthorizationParams(httpOperation.request?.headers ?? [], httpOperation.security) - .map(header => ({ name: header.name, value: parameterValues[header.name] ?? '' })) + .map(header => ({ name: header.name, value: sanitizedParameterValues[header.name] ?? '' })) .filter(({ value }) => value.length > 0); const [queryParamsWithAuth, headersWithAuth] = runAuthRequestEhancements(auth, queryParams, rawHeaders); - const expandedPath = uriExpand(httpOperation.path, parameterValues); + const expandedPath = uriExpand(httpOperation.path, sanitizedParameterValues); // urlObject is concatenated this way to avoid /user and /user/ endpoint edge cases const urlObject = new URL(serverUrl + expandedPath); From 7304669ce272031b3311c1004094460e3af7bf84 Mon Sep 17 00:00:00 2001 From: SB-harshitajadhav Date: Tue, 17 Dec 2024 10:13:27 +0530 Subject: [PATCH 3/3] chore(deps): elements version bump up --- packages/elements-core/package.json | 2 +- packages/elements-dev-portal/package.json | 4 ++-- packages/elements/package.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/elements-core/package.json b/packages/elements-core/package.json index 4f9a56010..eeb073a0b 100644 --- a/packages/elements-core/package.json +++ b/packages/elements-core/package.json @@ -1,6 +1,6 @@ { "name": "@stoplight/elements-core", - "version": "8.5.2", + "version": "8.5.3", "sideEffects": [ "web-components.min.js", "src/web-components/**", diff --git a/packages/elements-dev-portal/package.json b/packages/elements-dev-portal/package.json index 28a3a6d27..cc733cb04 100644 --- a/packages/elements-dev-portal/package.json +++ b/packages/elements-dev-portal/package.json @@ -1,6 +1,6 @@ { "name": "@stoplight/elements-dev-portal", - "version": "2.5.2", + "version": "2.5.3", "description": "UI components for composing beautiful developer documentation.", "keywords": [], "sideEffects": [ @@ -66,7 +66,7 @@ "dependencies": { "@stoplight/markdown-viewer": "^5.7.1", "@stoplight/mosaic": "^1.53.4", - "@stoplight/elements-core": "^8.5.2", + "@stoplight/elements-core": "^8.5.3", "@stoplight/path": "^1.3.2", "@stoplight/types": "^14.0.0", "classnames": "^2.2.6", diff --git a/packages/elements/package.json b/packages/elements/package.json index 61d4f7a54..ca9b8be60 100644 --- a/packages/elements/package.json +++ b/packages/elements/package.json @@ -1,6 +1,6 @@ { "name": "@stoplight/elements", - "version": "8.5.2", + "version": "8.5.3", "description": "UI components for composing beautiful developer documentation.", "keywords": [], "sideEffects": [ @@ -63,7 +63,7 @@ ] }, "dependencies": { - "@stoplight/elements-core": "^8.5.2", + "@stoplight/elements-core": "^8.5.3", "@stoplight/http-spec": "^7.1.0", "@stoplight/json": "^3.18.1", "@stoplight/mosaic": "^1.53.4",