From e247bfecd182fa867b3b3a12830247db84636eed Mon Sep 17 00:00:00 2001 From: Albin Antony Date: Tue, 19 Sep 2023 15:19:08 +0530 Subject: [PATCH] Fix #164 Fix code scanning alert - Email content injection --- go.mod | 3 +++ go.sum | 6 ++++++ src/email/email.go | 20 ++++++++++++++++++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 2a24eef..89f5d57 100644 --- a/go.mod +++ b/go.mod @@ -13,6 +13,7 @@ require ( firebase.google.com/go v3.12.1+incompatible // indirect github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aymerick/douceur v0.2.0 // indirect github.com/casbin/casbin/v2 v2.77.2 // indirect github.com/confluentinc/confluent-kafka-go v1.4.2 // indirect github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect @@ -25,8 +26,10 @@ require ( github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/gorilla/context v1.1.1 // indirect + github.com/gorilla/css v1.0.0 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/microcosm-cc/bluemonday v1.0.25 // indirect github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tidwall/gjson v1.14.4 // indirect diff --git a/go.sum b/go.sum index cafcdf6..b4bbc9b 100644 --- a/go.sum +++ b/go.sum @@ -22,6 +22,8 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= +github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM= github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -91,11 +93,15 @@ github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY= +github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg= +github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= diff --git a/src/email/email.go b/src/email/email.go index 3b237e1..396b28d 100644 --- a/src/email/email.go +++ b/src/email/email.go @@ -2,10 +2,12 @@ package email import ( "fmt" + "html/template" "log" "net/smtp" "github.com/bb-consent/api/src/config" + "github.com/microcosm-cc/bluemonday" ) // SMTPConfig Smtp configuration @@ -23,6 +25,7 @@ func SendWelcomeEmail(username string, firstname string, subject string, body st auth = smtp.PlainAuth("", SMTPConfig.Username, SMTPConfig.Password, SMTPConfig.Host) r := NewRequest([]string{username}, subject, body, from) + escapedFirstName := template.HTMLEscapeString(firstname) emailTemplateString := ` @@ -63,7 +66,7 @@ func SendWelcomeEmail(username string, firstname string, subject string, body st -

Hi ` + firstname + `,

+

Hi ` + escapedFirstName + `,

We are delighted that you are now registered to iGrant.io. Please check @@ -150,12 +153,25 @@ func NewRequest(to []string, subject, body string, from string) *Request { // SendEmail For sending email func (r *Request) SendEmail(body string) (bool, error) { + + p := bluemonday.UGCPolicy() + + p = p.AllowAttrs("border", "cellspacing", "cellpadding", "style").OnElements("table") + p = p.AllowAttrs("align", "style").OnElements("td") + p = p.AllowAttrs("style").Globally() + p = p.AllowAttrs("class", "style", "id", "src").OnElements("img") + p = p.AllowStyles("color", "width", "background-color", "height", "border-radius", "padding", "font-size", "font-weight", "line-height").Globally() + mime := "MIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n" subject := "Subject: " + r.subject + "!\n" msg := []byte(subject + mime + "\n" + body) + + // Sanitize the msg + sanitizedMsg := p.Sanitize(string(msg)) + addr := fmt.Sprintf("%s:%d", SMTPConfig.Host, SMTPConfig.Port) - if err := smtp.SendMail(addr, auth, r.from, r.to, msg); err != nil { + if err := smtp.SendMail(addr, auth, r.from, r.to, []byte(sanitizedMsg)); err != nil { return false, err } return true, nil