Closed lightswitch05 closed 3 years ago
More SonarCloud scan results can be found here: https://sonarcloud.io/dashboard?id=lightswitch05_whiteboard
Thanks for the patch! appreciated 👍
Thanks for merging! I'm sorry about the styling- I thought I had that figured out, I guess not.
I've included two security related bug-fixes in this PR:
Using
path.dirname
, we can get the path from the generatedfilePath
. Ifpath.dirname
does not matchFILE_DATABASE_FOLDER
, then we know that the givenwid
contains path information and should not be trusted.Example:
Using
path.basename
, we can get the filename from the generatedfilePath
. If thepath.basename
does not matchfileName
, then we know that the givenwid
contains path information and should not be trusted.Example:
A malicious iframe or popup link could generate a false "paste" event using the
Window.postMessage
API. A false event would haveevent.origin
set to be the iFrame's URL. Realpaste
events have an undefinedevent.origin
. This PR ensureevent.origin
is unset before injecting the content into the Whiteboard. Read more here: https://sonarcloud.io/organizations/lightswitch05/rules?open=javascript%3AS2819&rule_key=javascript%3AS2819