fix(security): require screenshot protocol to be http/https

jasonraimondi · jasonraimondi · commit eb70161d74ca · 2024-06-03T21:59:20.000-04:00
prevent file:// URI scheme in Playwright screenshots A critical vulnerability was discovered in a web application feature that utilizes Playwright's screenshot capability. Attackers could exploit this vulnerability by using the file:// URI scheme to read arbitrary files on the server's filesystem, potentially exposing sensitive information, such as AWS credentials. This commit addresses the vulnerability by implementing proper input validation and sanitization to prevent the use of the file:// URI scheme in Playwright screenshot requests, mitigating the risk of unauthorized file access. resolves #47
diff --git a/src/lib/schema.ts b/src/lib/schema.ts
@@ -7,8 +7,25 @@ const zodStringBool = z
   .transform(x => x === "true")
   .pipe(z.boolean());
 
+const urlSchema = z
+  .string()
+  .url()
+  .refine(
+    val => {
+      try {
+        const url = new URL(val);
+        return url.protocol === "http:" || url.protocol === "https:";
+      } catch (err) {
+        return false;
+      }
+    },
+    {
+      message: "must start with http or https",
+    },
+  );
+
 export const PlainConfigSchema = z.object({
-  url: z.string().url(),
+  url: urlSchema,
   width: z.coerce.number().nullish(),
   height: z.coerce.number().nullish(),
   viewPortWidth: z.coerce.number().nullish(),
diff --git a/src/middlewares/extract_query_params.ts b/src/middlewares/extract_query_params.ts
@@ -33,7 +33,15 @@ export function handleExtractQueryParamsMiddleware(encryptionService?: StringEnc
     const { validData, errors } = parseForm({ data: input, schema: PlainConfigSchema });
 
     if (errors) {
-      throw new HTTPException(400, { message: "Invalid query parameters", cause: errors });
+      let message: string = "Invalid query parameters: ";
+
+      for (const [key, value] of Object.entries(errors)) {
+        message += `\n    ${key} - ${value}`;
+      }
+
+      console.log(message);
+
+      throw new HTTPException(400, { message, cause: errors });
     }
 
     if (validData.width && validData.width > 1920) {
diff --git a/tests/app.spec.ts b/tests/app.spec.ts
@@ -64,6 +64,18 @@ suite("app", () => {
       expect(res.status).toBe(400);
       expect(await res.text()).toMatch(/Invalid query/gi);
     });
+
+    [
+      "file:///etc/passwd&width=4000",
+      "view-source:file:///home/&width=4000",
+      "view-source:file:///home/ec2-user/url-to-png/.env",
+    ].forEach(invalidDomain => {
+      it(`throws when invalid protocol ${invalidDomain}`, async () => {
+        const res = await app.request(`/?url=${invalidDomain}`);
+        expect(res.status).toBe(400);
+        expect(await res.text()).toMatch(/url - must start with http or https/gi);
+      });
+    });
   });
 
   describe("GET /?hash=", () => {
