fix: encode error messages (#35038)

Co-authored-by: Marcos Spessatto Defendi <15324204+MarcosSpessatto@users.noreply.github.com>

fix: encode error messages (#35038)
11e51c70 · julio-rocketchat · GitHub · 0fef2bbb · 11e51c70 · 11e51c70
Unverified Commit 11e51c70 authored 2 months ago by julio-rocketchat Committed by GitHub 2 months ago
--- a/.changeset/small-waves-press.md
+++ b/.changeset/small-waves-press.md
+---
+'@rocket.chat/meteor': minor
+---
+
+Adds "DOMPurify" and "he" to sanitize ECDH and Livechat errors
--- a/apps/meteor/ee/server/services/ecdh-proxy/lib/server.ts
+++ b/apps/meteor/ee/server/services/ecdh-proxy/lib/server.ts
@@ -7,6 +7,7 @@ import cookie from 'cookie';
 import cookieParser from 'cookie-parser';
 import type { Request, Response } from 'express';
 import express from 'express';
+import he from 'he';
 import mem from 'mem';
 import WebSocket from 'ws';

@@ -106,7 +107,7 @@ app.post('/api/ecdh_proxy/initEncryptedSession', async (req, res) => {
 			publicKeyString: session.publicKeyString,
 		});
 	} catch (e) {
-		res.status(400).send(e instanceof Error ? e.message : String(e));
+		res.status(400).send(e instanceof Error ? he.escape(e.message) : he.escape(String(e)));
 	}
 });

@@ -126,7 +127,8 @@ app.post('/api/ecdh_proxy/echo', async (req, res) => {
 		res.send(await session.encrypt(result));
 	} catch (e) {
 		console.error(e);
-		res.status(400).send(e instanceof Error ? e.message : String(e));
+		const errorMessage = e instanceof Error ? e.message : String(e);
+		res.status(400).send(he.encode(errorMessage));
 	}
 });


--- a/packages/livechat/package.json
+++ b/packages/livechat/package.json
@@ -104,6 +104,7 @@
 		"@rocket.chat/ui-kit": "workspace:~",
 		"css-vars-ponyfill": "^2.4.9",
 		"date-fns": "^2.30.0",
+		"dompurify": "^3.2.3",
 		"emoji-mart": "^3.0.1",
 		"history": "~5.3.0",
 		"i18next": "~23.4.9",

--- a/packages/livechat/src/components/Composer/index.tsx
+++ b/packages/livechat/src/components/Composer/index.tsx
@@ -4,8 +4,8 @@ import type { CSSProperties } from 'preact/compat';

 import { createClassName } from '../../helpers/createClassName';
 import { parse } from '../../helpers/parse';
+import DOMPurify from 'dompurify';
 import styles from './styles.scss';
-
 const findLastTextNode = (node: Node): Node | null => {
 	if (node.nodeType === Node.TEXT_NODE) {
 		return node;
@@ -214,7 +214,7 @@ export class Composer extends Component<ComposerProps, ComposerState> {
 		const caretPosition = this.getCaretPosition(this.el);
 		const oldText = this.el?.innerText ?? '';
 		const newText = `${oldText.slice(0, caretPosition)}${emoji}&nbsp;${oldText.slice(caretPosition)}`;
-		this.el.innerHTML = newText;
+		this.el.innerHTML = DOMPurify.sanitize(newText);
 		this.moveCursorToEndAndFocus(caretPosition + emoji.length + 1);
 		onChange?.(this.el.innerText);
 	}