XSS-Sanitization für AppSettings (companyName & Co)
Pentest-Befund (MEDIUM): companyName und weitere Plain-Text-Setting- Keys nahmen via PUT /api/settings/:key XSS-Payloads wie <img src=x onerror=alert(1)> ungefiltert entgegen. Nur Admin triggerbar, aber E-Mail-Templates/PDF-Generatoren hätten den Wert unescaped rendern können. Fix in appSetting.service.ts: sanitizeSettingValue(key, value) strippt HTML außer für die expliziten Editor-Keys (imprintHtml, privacyPolicyHtml, authorizationTemplateHtml, websitePrivacyPolicyHtml). Greift in updateSetting + updateSettings. cleanup-xss-and-mass-assignment.ts bereinigt bestehende dreckige Werte beim Container-Start (idempotent). Live-verifiziert auf dev: - PUT companyName="<img onerror=alert(1)>OpenCRM<script>alert(2)</script>" → DB: "OpenCRM" - Bulk-PUT mit XSS auf companyName + defaultEmailDomain → gestrippt - imprintHtml mit "<h1>...<p>" → unverändert (HTML-allowed) - Cleanup-Skript auf dirty value: "EvilCo" statt mit Tags Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -63,16 +63,45 @@ async function cleanupXss() {
|
||||
console.log(` → User bereinigt: ${userTouched}`);
|
||||
}
|
||||
|
||||
// HTML in Plain-Text-Settings strippen: WYSIWYG-Editoren liefern
|
||||
// absichtlich HTML, alles andere (companyName, defaultEmailDomain, ...)
|
||||
// muss reiner Text bleiben. Pentest 2026-05-19, MEDIUM.
|
||||
const HTML_ALLOWED_SETTING_KEYS = new Set([
|
||||
'authorizationTemplateHtml',
|
||||
'imprintHtml',
|
||||
'privacyPolicyHtml',
|
||||
'websitePrivacyPolicyHtml',
|
||||
]);
|
||||
|
||||
function stripHtmlString(s: string): string {
|
||||
return s
|
||||
.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
|
||||
.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '')
|
||||
.replace(/<\/?[a-z][^>]*>/gi, '');
|
||||
}
|
||||
|
||||
async function cleanupAppSettings() {
|
||||
const settings = await prisma.appSetting.findMany();
|
||||
const removed: string[] = [];
|
||||
let stripped = 0;
|
||||
for (const s of settings) {
|
||||
if (!ALLOWED_SETTING_KEYS.has(s.key)) {
|
||||
removed.push(s.key);
|
||||
await prisma.appSetting.delete({ where: { key: s.key } });
|
||||
continue;
|
||||
}
|
||||
if (!HTML_ALLOWED_SETTING_KEYS.has(s.key)) {
|
||||
const cleaned = stripHtmlString(s.value);
|
||||
if (cleaned !== s.value) {
|
||||
await prisma.appSetting.update({ where: { key: s.key }, data: { value: cleaned } });
|
||||
stripped++;
|
||||
}
|
||||
}
|
||||
}
|
||||
console.log(` → AppSettings entfernt: ${removed.length}${removed.length ? ' (' + removed.join(', ') + ')' : ''}`);
|
||||
if (stripped > 0) {
|
||||
console.log(` → AppSettings HTML-gestrippt: ${stripped}`);
|
||||
}
|
||||
}
|
||||
|
||||
// Pattern, die auf typische Pentest-/Test-Daten hindeuten. Bewusst eng
|
||||
|
||||
Reference in New Issue
Block a user