From a0ec928fca48ca2548de5a572b1cb2f36b917191 Mon Sep 17 00:00:00 2001
From: Henry Heino <46334387+personalizedrefrigerator@users.noreply.github.com>
Date: Thu, 27 Jul 2023 07:41:57 -0700
Subject: [PATCH] Merge pull request from GHSA-m59c-9rrj-c399
* Sanitize HTML in processPastedHtml
* Add test
---
.eslintignore | 1 +
.gitignore | 1 +
.../NoteEditor/utils/resourceHandling.test.ts | 20 +++++++++++++++++++
.../gui/NoteEditor/utils/resourceHandling.ts | 9 ++++++---
packages/app-desktop/jest.config.js | 2 +-
packages/app-desktop/jest.setup.js | 19 ++++++++++++++++++
6 files changed, 48 insertions(+), 4 deletions(-)
create mode 100644 packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.ts
create mode 100644 packages/app-desktop/jest.setup.js
diff --git a/.eslintignore b/.eslintignore
index d6c33847f..e06087099 100644
--- a/.eslintignore
+++ b/.eslintignore
@@ -254,6 +254,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
packages/app-desktop/gui/NoteEditor/utils/index.js
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
+packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
packages/app-desktop/gui/NoteEditor/utils/types.js
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
diff --git a/.gitignore b/.gitignore
index 61ffca103..0ff31d555 100644
--- a/.gitignore
+++ b/.gitignore
@@ -239,6 +239,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
packages/app-desktop/gui/NoteEditor/utils/index.js
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
+packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
packages/app-desktop/gui/NoteEditor/utils/types.js
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
diff --git a/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.ts b/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.ts
new file mode 100644
index 000000000..e993bcade
--- /dev/null
+++ b/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.ts
@@ -0,0 +1,20 @@
+import { processPastedHtml } from './resourceHandling';
+
+describe('resourceHandling', () => {
+ it('should sanitize pasted HTML', async () => {
+ const testCases = [
+ ['Test: ', 'Test: '],
+ ['test', 'test'],
+ ['', ''],
+ ['', ''],
+ [
+ '',
+ '',
+ ],
+ ];
+
+ for (const [html, expected] of testCases) {
+ expect(await processPastedHtml(html)).toBe(expected);
+ }
+ });
+});
diff --git a/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts b/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts
index 124a7f49c..2aa0b7091 100644
--- a/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts
+++ b/packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts
@@ -6,6 +6,7 @@ import Resource from '@joplin/lib/models/Resource';
const bridge = require('@electron/remote').require('./bridge').default;
import ResourceFetcher from '@joplin/lib/services/ResourceFetcher';
import htmlUtils from '@joplin/lib/htmlUtils';
+import rendererHtmlUtils from '@joplin/renderer/htmlUtils';
import Logger from '@joplin/lib/Logger';
const { fileUriToPath } = require('@joplin/lib/urlUtils');
const joplinRendererUtils = require('@joplin/renderer').utils;
@@ -173,7 +174,9 @@ export async function processPastedHtml(html: string) {
}
}
- return htmlUtils.replaceImageUrls(html, (src: string) => {
- return mappedResources[src];
- });
+ return rendererHtmlUtils.sanitizeHtml(
+ htmlUtils.replaceImageUrls(html, (src: string) => {
+ return mappedResources[src];
+ })
+ );
}
diff --git a/packages/app-desktop/jest.config.js b/packages/app-desktop/jest.config.js
index 7e7a00276..a953b51f0 100644
--- a/packages/app-desktop/jest.config.js
+++ b/packages/app-desktop/jest.config.js
@@ -116,7 +116,7 @@ module.exports = {
// setupFiles: [],
// A list of paths to modules that run some code to configure or set up the testing framework before each test
- // setupFilesAfterEnv: [],
+ setupFilesAfterEnv: [`${__dirname}/jest.setup.js`],
// The number of seconds after which a test is considered as slow and reported as such in the results.
// slowTestThreshold: 5,
diff --git a/packages/app-desktop/jest.setup.js b/packages/app-desktop/jest.setup.js
new file mode 100644
index 000000000..1c7a56a75
--- /dev/null
+++ b/packages/app-desktop/jest.setup.js
@@ -0,0 +1,19 @@
+
+const { default: Logger, TargetType } = require('@joplin/lib/Logger');
+
+// TODO: Some libraries required by test-utils.js seem to fail to import with the
+// jsdom environment.
+//
+// Thus, require('@joplin/lib/testing/test-utils.js') fails and some setup must be
+// copied.
+
+const logger = new Logger();
+logger.addTarget(TargetType.Console);
+logger.setLevel(Logger.LEVEL_WARN);
+Logger.initializeGlobalLogger(logger);
+
+
+// @electron/remote requires electron to be running. Mock it.
+jest.mock('@electron/remote', () => {
+ return { require };
+});