refactor(api): security issue xss on cookie (maybe false positive)

SocialGouv · Mar 25, 2022 · 3b2c47d · 3b2c47d
1 parent fc673e2
commit 3b2c47d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/api/src/controllers/user.js b/api/src/controllers/user.js
@@ -6,7 +6,7 @@ const crypto = require("crypto");
 const { Op } = require("sequelize");
 const { z } = require("zod");
 const { catchErrors } = require("../errors");
-const { validatePassword, looseUuidRegex } = require("../utils");
+const { validatePassword, looseUuidRegex, jwtRegex } = require("../utils");
 const mailservice = require("../utils/mailservice");
 const config = require("../config");
 const { comparePassword } = require("../utils");
@@ -156,7 +156,7 @@ router.get(
   validateUser(["admin", "normal", "superadmin"]),
   catchErrors(async (req, res, next) => {
     try {
-      z.string().parse(req.cookies.jwt);
+      z.string().regex(jwtRegex).parse(req.cookies.jwt);
     } catch (e) {
       const error = new Error(`Invalid request in signin token: ${e}`);
       error.status = 400;

diff --git a/api/src/utils.js b/api/src/utils.js
@@ -29,6 +29,7 @@ function hashPassword(password) {
 const looseUuidRegex = /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/;
 const cryptoHexRegex = /^[A-Fa-f0-9]{16,128}$/;
 const positiveIntegerRegex = /^\d+$/;
+const jwtRegex = /^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$/;
 
 module.exports = {
   validatePassword,
@@ -37,4 +38,5 @@ module.exports = {
   looseUuidRegex,
   positiveIntegerRegex,
   cryptoHexRegex,
+  jwtRegex,
 };