XSS via User Story JSON file -- First approach

- Inplemented xss-filters library on server side
- Validated all data used on project list view

Signed-off-by: Teresita de Jesus Guerrero Vela <teresita.guerrero.vela@intel.com>
This commit is contained in:
Teresita de Jesus Guerrero Vela 2017-02-13 16:27:32 -06:00
parent de15ec952d
commit 2a159aefe2
2 changed files with 18 additions and 12 deletions

View File

@ -8,12 +8,12 @@ module.exports = function(UserStory) {
var async = require("async");
var htmlparser = require("htmlparser");
var cheerio = require('cheerio');
var xssFilters = require("xss-filters");
const SPEC_URL = "http://specs.openstack.org/openstack/openstack-user-stories/user-stories/proposed/";
var blueprintsResume = [];
var getAllfiles = function(){
return fs.readdirSync(route)
.map(function(file){
@ -29,11 +29,12 @@ module.exports = function(UserStory) {
var userStories = getAllfiles();
//filter by Id
var file = userStories.filter(function(item){
return item.id == id;
// VALIDATE IF A VALID ID IS COMING!
console.log("my id",xssFilters.inHTMLData(id));
return item.id == xssFilters.inHTMLData(id);
})
file = (file.length > 0)?file[0]:null;
return file;
};
@ -48,15 +49,19 @@ module.exports = function(UserStory) {
userStory.tasks.forEach(function (taskName, index, array) {
var task = userStory.tasks_status[taskName];
console.log("La tarea es:", task);
task.projects.forEach(function (projectName, index, array) {
var blueprints = task.projects_status[projectName].blueprints;
console.log("The project name is, ", projectName);
//VALIDATE projectName EXISTS
var blueprints = task.projects_status[xssFilters.inHTMLData(projectName)].blueprints;
var blueprintNames = Object.keys(blueprints);
blueprintNames.forEach(function (blueprintName, index, array) {
if (blueprints[blueprintName] == 'completed')
console.log("single blueprint: ",blueprintName);
console.log("el nombre del blue print es: ", blueprints[blueprintName]);
// VALIDATE PROPERLY if this statement is not true
if (blueprints[xssFilters.inHTMLData(blueprintName)] == 'completed')
blueprintsResume.completed = blueprintsResume.completed + 1;
blueprintsResume.total = blueprintsResume.total + 1;
@ -316,10 +321,10 @@ module.exports = function(UserStory) {
var itemResult = {
completed: getbluePrintResume(userStory),
dateCreated: userStory.date,
lastUpdate: lastUpdated,
userStory: userStory.description,
id:userStory.id
dateCreated: xssFilters.inHTMLData(userStory.date),
lastUpdate: xssFilters.inHTMLData(lastUpdated),
userStory: xssFilters.inHTMLData(userStory.description),
id:xssFilters.inHTMLData(userStory.id)
};
cb(null, itemResult);

View File

@ -22,7 +22,8 @@
"loopback-datasource-juggler": "^2.39.0",
"markdown": "^0.5.0",
"serve-favicon": "^2.0.1",
"underscore": "^1.8.3"
"underscore": "^1.8.3",
"xss-filters": "^1.2.7"
},
"devDependencies": {
"jshint": "^2.5.6",