fix(api): 🔒 Correctly put all URIs in profiles through proxy

2026-03-13 13:59:16 +01:00 · 2024-11-22 15:06:46 +01:00 · 2024-11-22 15:06:46 +01:00 · 569ba8bf2d
commit 569ba8bf2d
parent bd1f09837b
3 changed files with 79 additions and 12 deletions
--- a/api/api/v1/accounts/update_credentials/index.test.ts
+++ b/api/api/v1/accounts/update_credentials/index.test.ts
@ -0,0 +1,68 @@
+import { afterAll, describe, expect, test } from "bun:test";
+import type { Account as APIAccount } from "@versia/client/types";
+import { config } from "~/packages/config-manager/index.ts";
+import { fakeRequest, getTestUsers } from "~/tests/utils";
+import { meta } from "./index.ts";
+
+const { tokens, deleteUsers } = await getTestUsers(1);
+
+afterAll(async () => {
+    await deleteUsers();
+});
+
+// /api/v1/accounts/update_credentials
+describe(meta.route, () => {
+    describe("HTML injection testing", () => {
+        test("should not allow HTML injection", async () => {
+            const response = await fakeRequest(meta.route, {
+                method: "PATCH",
+                headers: {
+                    Authorization: `Bearer ${tokens[0].data.accessToken}`,
+                },
+                body: new URLSearchParams({
+                    note: "Hi! <script>alert('Hello, world!');</script>",
+                }),
+            });
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toContain(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIAccount;
+
+            expect(object.note).toBe(
+                "<p>Hi! &lt;script&gt;alert('Hello, world!');&lt;/script&gt;</p>\n",
+            );
+        });
+
+        test("should rewrite all image and video src to go through proxy", async () => {
+            const response = await fakeRequest(meta.route, {
+                method: "PATCH",
+                headers: {
+                    Authorization: `Bearer ${tokens[0].data.accessToken}`,
+                },
+                body: new URLSearchParams({
+                    note: "<img src='https://example.com/image.jpg'> <video src='https://example.com/video.mp4'> Test!",
+                }),
+            });
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toContain(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIAccount;
+            // Proxy url is base_url/media/proxy/<base64url encoded url>
+            expect(object.note).toBe(
+                `<p><img src="${config.http.base_url}/media/proxy/${Buffer.from(
+                    "https://example.com/image.jpg",
+                ).toString("base64url")}"> <video src="${
+                    config.http.base_url
+                }/media/proxy/${Buffer.from(
+                    "https://example.com/video.mp4",
+                ).toString("base64url")}"> Test!</p>\n`,
+            );
+        });
+    });
+});