Skip to content

Commit

Permalink
Merge pull request #7024 from topcoder-platform/PM-198
Browse files Browse the repository at this point in the history 
PM-198 Fix reflected XSS
  • Loading branch information
@himaniraghav3
himaniraghav3 authored Jan 8, 2025
2 parents 0d1e3c8 + 484fb70 commit 0ef26b8
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 5 deletions.
3 changes: 2 additions & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,8 @@
"url-parse": "^1.4.1",
"uuid": "^3.3.2",
"valid-url": "^1.0.9",
"xml2json": "^0.11.2"
"xml2json": "^0.11.2",
"xss": "^1.0.15"
},
"devDependencies": {
"@commitlint/cli": "^8.3.5",
Expand Down
6 changes: 4 additions & 2 deletions src/server/services/mmLeaderboard.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
* Server-side functions necessary for effective integration with MMLeaderboard
*/
import { services } from 'topcoder-react-lib';
import xss from 'xss';

const { api, submissions } = services;

Expand All @@ -17,13 +18,14 @@ export default class MMLService {
*/
async getLeaderboard(req, res, next) {
try {
const sanitizedId = xss(req.params.id);
const m2mToken = await api.getTcM2mToken();
const subSrv = submissions.getService(m2mToken);
const reviewIds = await subSrv.getScanReviewIds();
const v5api = api.getApiV5(m2mToken);
const subs = await v5api.get(`/submissions?challengeId=${req.params.id}&page=1&perPage=500`);
const subs = await v5api.get(`/submissions?challengeId=${sanitizedId}&page=1&perPage=500`);
return res.send({
id: req.params.id,
id: sanitizedId,
subs: await subs.json(),
reviewIds,
});
Expand Down
10 changes: 8 additions & 2 deletions src/server/services/recruitCRM.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import qs from 'qs';
import _ from 'lodash';
import { logger, services } from 'topcoder-react-lib';
import Joi from 'joi';
import xss from 'xss';
import { sendEmailDirect } from './sendGrid';
// import GSheetService from './gSheet';

Expand Down Expand Up @@ -186,7 +187,12 @@ export default class RecruitCRMService {
*/
async getJob(req, res, next) {
try {
const response = await fetch(`${this.private.baseUrl}/v1/jobs/${req.params.id}`, {
const sanitizedId = xss(req.params.id);

if (!/^[a-zA-Z0-9-_]{8,20}$/.test(sanitizedId)) {
return res.status(400).json({ error: 'Invalid job ID format.' });
}
const response = await fetch(`${this.private.baseUrl}/v1/jobs/${sanitizedId}`, {
method: 'GET',
headers: {
'Content-Type': req.headers['content-type'],
Expand All @@ -201,7 +207,7 @@ export default class RecruitCRMService {
const error = {
error: true,
status: response.status,
url: `${this.private.baseUrl}/v1/jobs/${req.params.id}`,
url: `${this.private.baseUrl}/v1/jobs/${sanitizedId}`,
errObj: await response.json(),
};
logger.error(error);
Expand Down

0 comments on commit 0ef26b8

Please sign in to comment.