web/flows: use dompurify for footer links (#11773)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-10-23 11:15:23 +02:00
parent 12dbdfaf66
commit a5a26a50c6
4 changed files with 91 additions and 15 deletions
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -24,6 +24,7 @@
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.6.0",
                "@goauthentik/api": "^2024.8.3-1729630021",
+                "@lit-labs/ssr": "^3.2.2",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
                "@lit/reactive-element": "^2.0.4",
@ -41,6 +42,7 @@
                "construct-style-sheets-polyfill": "^3.1.0",
                "core-js": "^3.38.1",
                "country-flag-icons": "^1.5.13",
+                "dompurify": "^3.1.7",
                "fuse.js": "^7.0.0",
                "guacamole-common-js": "^1.5.0",
                "lit": "^3.2.0",
@ -69,6 +71,7 @@
                "@trivago/prettier-plugin-sort-imports": "^4.3.0",
                "@types/chart.js": "^2.9.41",
                "@types/codemirror": "^5.60.15",
+                "@types/dompurify": "^3.0.5",
                "@types/eslint__js": "^8.42.3",
                "@types/grecaptcha": "^3.0.9",
                "@types/guacamole-common-js": "^1.5.2",
@ -2459,11 +2462,50 @@
                "@lezer/lr": "^1.0.0"
            }
        },
+        "node_modules/@lit-labs/ssr": {
+            "version": "3.2.2",
+            "resolved": "https://registry.npmjs.org/@lit-labs/ssr/-/ssr-3.2.2.tgz",
+            "integrity": "sha512-He5TzeNPM9ECmVpgXRYmVlz0UA5YnzHlT43kyLi2Lu6mUidskqJVonk9W5K699+2DKhoXp8Ra4EJmHR6KrcW1Q==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-client": "^1.1.7",
+                "@lit-labs/ssr-dom-shim": "^1.2.0",
+                "@lit/reactive-element": "^2.0.4",
+                "@parse5/tools": "^0.3.0",
+                "@types/node": "^16.0.0",
+                "enhanced-resolve": "^5.10.0",
+                "lit": "^3.1.2",
+                "lit-element": "^4.0.4",
+                "lit-html": "^3.1.2",
+                "node-fetch": "^3.2.8",
+                "parse5": "^7.1.1"
+            },
+            "engines": {
+                "node": ">=13.9.0"
+            }
+        },
+        "node_modules/@lit-labs/ssr-client": {
+            "version": "1.1.7",
+            "resolved": "https://registry.npmjs.org/@lit-labs/ssr-client/-/ssr-client-1.1.7.tgz",
+            "integrity": "sha512-VvqhY/iif3FHrlhkzEPsuX/7h/NqnfxLwVf0p8ghNIlKegRyRqgeaJevZ57s/u/LiFyKgqksRP5n+LmNvpxN+A==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit/reactive-element": "^2.0.4",
+                "lit": "^3.1.2",
+                "lit-html": "^3.1.2"
+            }
+        },
        "node_modules/@lit-labs/ssr-dom-shim": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/@lit-labs/ssr-dom-shim/-/ssr-dom-shim-1.2.1.tgz",
            "integrity": "sha512-wx4aBmgeGvFmOKucFKY+8VFJSYZxs9poN3SDNQFF6lT6NrQUnHiPB2PWz2sc4ieEcAaYYzN+1uWahEeTq2aRIQ=="
        },
+        "node_modules/@lit-labs/ssr/node_modules/@types/node": {
+            "version": "16.18.114",
+            "resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.114.tgz",
+            "integrity": "sha512-7oAtnxrgkMNzyzT443UDWwzkmYew81F1ZSPm3/lsITJfW/WludaSOpegTvUG+UdapcbrtWOtY/E4LyTkhPGJ5Q==",
+            "license": "MIT"
+        },
        "node_modules/@lit/context": {
            "version": "1.1.2",
            "resolved": "https://registry.npmjs.org/@lit/context/-/context-1.1.2.tgz",
@ -3027,7 +3069,6 @@
            "version": "0.3.0",
            "resolved": "https://registry.npmjs.org/@parse5/tools/-/tools-0.3.0.tgz",
            "integrity": "sha512-zxRyTHkqb7WQMV8kTNBKWb1BeOFUKXBXTBWuxg9H9hfvQB3IwP6Iw2U75Ia5eyRxPNltmY7E8YAlz6zWwUnjKg==",
-            "dev": true,
            "dependencies": {
                "parse5": "^7.0.0"
            }
@ -5629,6 +5670,16 @@
                "@types/node": "*"
            }
        },
+        "node_modules/@types/dompurify": {
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-3.0.5.tgz",
+            "integrity": "sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@types/trusted-types": "*"
+            }
+        },
        "node_modules/@types/eslint": {
            "version": "9.6.1",
            "resolved": "https://registry.npmjs.org/@types/eslint/-/eslint-9.6.1.tgz",
@ -9676,7 +9727,6 @@
            "version": "4.0.1",
            "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
            "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
-            "dev": true,
            "engines": {
                "node": ">= 12"
            }
@ -10053,9 +10103,10 @@
            }
        },
        "node_modules/dompurify": {
-            "version": "3.1.6",
-            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.1.6.tgz",
-            "integrity": "sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ=="
+            "version": "3.1.7",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.1.7.tgz",
+            "integrity": "sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==",
+            "license": "(MPL-2.0 OR Apache-2.0)"
        },
        "node_modules/domutils": {
            "version": "3.1.0",
@ -10278,7 +10329,6 @@
            "version": "5.17.1",
            "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.17.1.tgz",
            "integrity": "sha512-LMHl3dXhTcfv8gM4kEzIUeTQ+7fpdA0l2tUf34BddXPkz2A5xJ5L/Pchd5BL6rdccM9QGvu0sWZzK1Z1t4wwyg==",
-            "dev": true,
            "dependencies": {
                "graceful-fs": "^4.2.4",
                "tapable": "^2.2.0"
@ -10316,7 +10366,6 @@
            "version": "4.5.0",
            "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
            "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
-            "dev": true,
            "engines": {
                "node": ">=0.12"
            },
@ -12518,8 +12567,7 @@
        "node_modules/graceful-fs": {
            "version": "4.2.11",
            "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
-            "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
-            "dev": true
+            "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="
        },
        "node_modules/grapheme-splitter": {
            "version": "1.0.4",
@ -14969,6 +15017,12 @@
                "uuid": "^9.0.1"
            }
        },
+        "node_modules/mermaid/node_modules/dompurify": {
+            "version": "3.1.6",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.1.6.tgz",
+            "integrity": "sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ==",
+            "license": "(MPL-2.0 OR Apache-2.0)"
+        },
        "node_modules/methods": {
            "version": "1.1.2",
            "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
@ -15649,7 +15703,6 @@
            "version": "3.3.2",
            "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
            "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
-            "dev": true,
            "dependencies": {
                "data-uri-to-buffer": "^4.0.0",
                "fetch-blob": "^3.1.4",
@ -16588,7 +16641,6 @@
            "version": "7.1.2",
            "resolved": "https://registry.npmjs.org/parse5/-/parse5-7.1.2.tgz",
            "integrity": "sha512-Czj1WaSVpaoj0wbhMzLmWD69anp2WH7FXMB9n1Sy8/ZFF9jolSQVMu1Ij5WIyGmcBmhk7EOndpO4mIpihVqAXw==",
-            "dev": true,
            "dependencies": {
                "entities": "^4.4.0"
            },
@ -19574,7 +19626,6 @@
            "version": "2.2.1",
            "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
            "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
-            "dev": true,
            "engines": {
                "node": ">=6"
            }
--- a/web/package.json
+++ b/web/package.json
@ -12,6 +12,7 @@
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
        "@goauthentik/api": "^2024.8.3-1729630021",
+        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -29,6 +30,7 @@
        "construct-style-sheets-polyfill": "^3.1.0",
        "core-js": "^3.38.1",
        "country-flag-icons": "^1.5.13",
+        "dompurify": "^3.1.7",
        "fuse.js": "^7.0.0",
        "guacamole-common-js": "^1.5.0",
        "lit": "^3.2.0",
@ -57,6 +59,7 @@
        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
        "@types/chart.js": "^2.9.41",
        "@types/codemirror": "^5.60.15",
+        "@types/dompurify": "^3.0.5",
        "@types/eslint__js": "^8.42.3",
        "@types/grecaptcha": "^3.0.9",
        "@types/guacamole-common-js": "^1.5.2",
--- a/web/src/common/purify.ts
+++ b/web/src/common/purify.ts
@ -0,0 +1,17 @@
+import DOMPurify from "dompurify";
+
+import { render } from "@lit-labs/ssr";
+import { collectResult } from "@lit-labs/ssr/lib/render-result.js";
+import { TemplateResult, html } from "lit";
+import { unsafeHTML } from "lit/directives/unsafe-html.js";
+import { until } from "lit/directives/until.js";
+
+export function purify(input: TemplateResult): TemplateResult {
+    return html`${until(
+        (async () => {
+            const rendered = await collectResult(render(input));
+            const purified = DOMPurify.sanitize(rendered);
+            return html`${unsafeHTML(purified)}`;
+        })(),
+    )}`;
+}
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@ -5,6 +5,7 @@ import {
    TITLE_DEFAULT,
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
+import { purify } from "@goauthentik/common/purify";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { first } from "@goauthentik/common/utils";
 import { WebsocketClient } from "@goauthentik/common/ws";
@ -518,9 +519,13 @@ export class FlowExecutor extends Interface implements StageHost {
                                            <ul class="pf-c-list pf-m-inline">
                                                ${this.brand?.uiFooterLinks?.map((link) => {
                                                    if (link.href) {
-                                                        return html`<li>
-                                                            <a href="${link.href}">${link.name}</a>
-                                                        </li>`;
+                                                        return html`${purify(
+                                                            html`<li>
+                                                                <a href="${link.href}"
+                                                                    >${link.name}</a
+                                                                >
+                                                            </li>`,
+                                                        )}`;
                                                    }
                                                    return html`<li>
                                                        <span>${link.name}</span>