Merge pull request #167 from NearSocial/release-2.5.5

## 2.5.5 - FIX: Restrict attributes of `Files` component to a whitelist. Reported by BrunoModificato from OtterSec.
NearSocial · Jan 8, 2024 · d8eb167 · d8eb167
2 parents e9e6173 + d44aad3
commit d8eb167
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.5.5
+
+- FIX: Restrict attributes of `Files` component to a whitelist. Reported by BrunoModificato from OtterSec.
+
 ## 2.5.4
 
 - Added optional `commitModalBypass` feature config. When the `<CommitButton />` component is used inside of a widget with a matching `src` prop, the `CommitModal` will be bypassed and `onCommit()` will be called instantly when the button is clicked. If for some reason the requested transaction is invalid, the `CommitModal` will still appear to show an error message to the user. View example below to see configuration options.

diff --git a/dist/index.js b/dist/index.js
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "near-social-vm",
-  "version": "2.5.4",
+  "version": "2.5.5",
   "description": "Near Social VM",
   "main": "dist/index.js",
   "files": [

diff --git a/src/lib/vm/vm.js b/src/lib/vm/vm.js
@@ -413,6 +413,31 @@ const requirePattern = (id) => {
   }
 };
 
+const FilesComponentWhitelist = [
+  "key",
+  "name",
+  "className",
+  "onChange",
+  "onError",
+  "accepts",
+  "multiple",
+  "clickable",
+  "maxFiles",
+  "maxFileSize",
+  "minFileSize",
+  "dragActiveClassName",
+];
+
+const filterFilesAttributes = (attributes) => {
+  const filteredAttributes = {};
+  FilesComponentWhitelist.forEach((key) => {
+    if (attributes.hasOwnProperty(key)) {
+      filteredAttributes[key] = attributes[key];
+    }
+  });
+  return filteredAttributes;
+};
+
 class Stack {
   constructor(prevStack, state) {
     this.prevStack = prevStack;
@@ -688,7 +713,7 @@ class VmStack {
             accepts={["image/*"]}
             minFileSize={1}
             clickable
-            {...attributes}
+            {...filterFilesAttributes(attributes)}
           >
             {status.img?.uploading ? (
               <>{Loading} Uploading</>
@@ -701,7 +726,7 @@ class VmStack {
         </div>
       );
     } else if (element === "Files") {
-      return <Files {...attributes}>{children}</Files>;
+      return <Files {...filterFilesAttributes(attributes)}>{children}</Files>;
     } else if (element === "iframe") {
       return <SecureIframe {...attributes} />;
     } else if (element === "Web3Connect") {