NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit812d72c

authored

fix: sanitize app status summary (#19075)

1 parent29486f9 commit812d72cCopy full SHA for 812d72c

File tree

5 files changed

+86

-3

lines changed

coderd
- util/strings
  - strings.go
  - strings_test.go
- workspaceagents.go
codersdk/toolsdk
- toolsdk.go
go.mod

5 files changed

+86

-3

lines changed

`‎coderd/util/strings/strings.go‎`

Lines changed: 40 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,12 @@ package strings`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"fmt"`
	`5`	`+"strconv"`
`5`	`6`	`"strings"`
	`7`	`+"unicode"`
	`8`	`+`
	`9`	`+"github.com/acarl005/stripansi"`
	`10`	`+"github.com/microcosm-cc/bluemonday"`
`6`	`11`	`)`
`7`	`12`
`8`	`13`	`// JoinWithConjunction joins a slice of strings with commas except for the last`
`@@ -28,3 +33,38 @@ func Truncate(s string, n int) string {`
`28`	`33`	`}`
`29`	`34`	`returns[:n]`
`30`	`35`	`}`
	`36`	`+`
	`37`	`+varbmPolicy=bluemonday.StrictPolicy()`
	`38`	`+`
	`39`	`+// UISanitize sanitizes a string for display in the UI.`
	`40`	`+// The following transformations are applied, in order:`
	`41`	`+// - HTML tags are removed using bluemonday's strict policy.`
	`42`	`+// - ANSI escape codes are stripped using stripansi.`
	`43`	`+// - Consecutive backslashes are replaced with a single backslash.`
	`44`	`+// - Non-printable characters are removed.`
	`45`	`+// - Whitespace characters are replaced with spaces.`
	`46`	`+// - Multiple spaces are collapsed into a single space.`
	`47`	`+// - Leading and trailing whitespace is trimmed.`
	`48`	`+funcUISanitize(instring)string {`
	`49`	+ifunq,err:=strconv.Unquote(`"`+in+`"`);err==nil {
	`50`	`+in=unq`
	`51`	`+}`
	`52`	`+in=bmPolicy.Sanitize(in)`
	`53`	`+in=stripansi.Strip(in)`
	`54`	`+varb strings.Builder`
	`55`	`+varspaceSeenbool`
	`56`	`+for_,r:=rangein {`
	`57`	`+ifunicode.IsSpace(r) {`
	`58`	`+if!spaceSeen {`
	`59`	`+_,_=b.WriteRune(' ')`
	`60`	`+spaceSeen=true`
	`61`	`+}`
	`62`	`+continue`
	`63`	`+}`
	`64`	`+spaceSeen=false`
	`65`	`+ifunicode.IsPrint(r) {`
	`66`	`+_,_=b.WriteRune(r)`
	`67`	`+}`
	`68`	`+}`
	`69`	`+returnstrings.TrimSpace(b.String())`
	`70`	`+}`

`‎coderd/util/strings/strings_test.go‎`

Lines changed: 39 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package strings_test`
`3`	`3`	`import (`
`4`	`4`	`"testing"`
`5`	`5`
	`6`	`+"github.com/stretchr/testify/assert"`
`6`	`7`	`"github.com/stretchr/testify/require"`
`7`	`8`
`8`	`9`	`"github.com/coder/coder/v2/coderd/util/strings"`
`@@ -37,3 +38,41 @@ func TestTruncate(t *testing.T) {`
`37`	`38`	`})`
`38`	`39`	`}`
`39`	`40`	`}`
	`41`	`+`
	`42`	`+funcTestUISanitize(t*testing.T) {`
	`43`	`+t.Parallel()`
	`44`	`+`
	`45`	`+for_,tt:=range []struct {`
	`46`	`+sstring`
	`47`	`+expectedstring`
	`48`	`+}{`
	`49`	`+{"normal text","normal text"},`
	`50`	`+{"\tfoo\r\\nbar ","foo bar"},`
	`51`	`+{"通常のテキスト","通常のテキスト"},`
	`52`	`+{"foo\nbar","foo bar"},`
	`53`	`+{"foo\tbar","foo bar"},`
	`54`	`+{"foo\rbar","foo bar"},`
	`55`	`+{"foo\x00bar","foobar"},`
	`56`	`+{"\u202Eabc","abc"},`
	`57`	`+{"\u200Bzero width","zero width"},`
	`58`	`+{"foo\x1b[31mred\x1b[0mbar","fooredbar"},`
	`59`	`+{"foo\u0008bar","foobar"},`
	`60`	`+{"foo\x07bar","foobar"},`
	`61`	`+{"foo\uFEFFbar","foobar"},`
	`62`	`+{"<a href='#"diff-e99e8d46008f3a35d8be0d02f24a58546a44af5e150a402c76773924baaa2c99-39-63-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">`	`63`	`+{"<style>body{display:none}</style>",""},`
	`64`	`+{"<html>HTML</html>","HTML"},`
	`65`	`+{"<br>line break","line break"},`
	`66`	`+{"<link rel='stylesheet' href='evil.css'>",""},`
	`67`	`+{"<img src=1 onerror=alert(1)>",""},`
	`68`	`+{"<!-- comment -->visible","visible"},`
	`69`	`+{"<script>alert('xss')</script>",""},`
	`70`	`+{"<iframe src='evil.com'></iframe>",""},`
	`71`	`+} {`
	`72`	`+t.Run(tt.expected,func(t*testing.T) {`
	`73`	`+t.Parallel()`
	`74`	`+actual:=strings.UISanitize(tt.s)`
	`75`	`+assert.Equal(t,tt.expected,actual)`
	`76`	`+})`
	`77`	`+}`
	`78`	`+}`

`‎coderd/workspaceagents.go‎`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ import (`
`41`	`41`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
`42`	`42`	`"github.com/coder/coder/v2/coderd/telemetry"`
`43`	`43`	`maputil"github.com/coder/coder/v2/coderd/util/maps"`
	`44`	`+strutil"github.com/coder/coder/v2/coderd/util/strings"`
`44`	`45`	`"github.com/coder/coder/v2/coderd/wspubsub"`
`45`	`46`	`"github.com/coder/coder/v2/codersdk"`
`46`	`47`	`"github.com/coder/coder/v2/codersdk/agentsdk"`
`@@ -383,6 +384,9 @@ func (api API) patchWorkspaceAgentAppStatus(rw http.ResponseWriter, r http.Req`
`383`	`384`	`return`
`384`	`385`	`}`
`385`	`386`
	`387`	`+// Treat the message as untrusted input.`
	`388`	`+cleaned:=strutil.UISanitize(req.Message)`
	`389`	`+`
`386`	`390`	`// nolint:gocritic // This is a system restricted operation.`
`387`	`391`	`_,err=api.Database.InsertWorkspaceAppStatus(dbauthz.AsSystemRestricted(ctx), database.InsertWorkspaceAppStatusParams{`
`388`	`392`	`ID:uuid.New(),`
`@@ -391,7 +395,7 @@ func (api API) patchWorkspaceAgentAppStatus(rw http.ResponseWriter, r http.Req`
`391`	`395`	`AgentID:workspaceAgent.ID,`
`392`	`396`	`AppID:app.ID,`
`393`	`397`	`State:database.WorkspaceAppStatusState(req.State),`
`394`		`-Message:req.Message,`
	`398`	`+Message:cleaned,`
`395`	`399`	`Uri: sql.NullString{`
`396`	`400`	`String:req.URI,`
`397`	`401`	`Valid:req.URI!="",`

`‎codersdk/toolsdk/toolsdk.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ ONLY report an "idle" or "failure" state if you have FULLY completed the task.`
`229`	`229`	`Properties:map[string]any{`
`230`	`230`	`"summary":map[string]any{`
`231`	`231`	`"type":"string",`
`232`		`-"description":"A concise summary of your current progress on the task. This must be less than 160 characters in length.",`
	`232`	`+"description":"A concise summary of your current progress on the task. This must be less than 160 characters in length and must not include newlines or other control characters.",`
`233`	`233`	`},`
`234`	`234`	`"link":map[string]any{`
`235`	`235`	`"type":"string",`

`‎go.mod‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,7 @@ require (`
`365`	`365`	`github.com/mdlayher/netlinkv1.7.2// indirect`
`366`	`366`	`github.com/mdlayher/sdnotifyv1.0.0// indirect`
`367`	`367`	`github.com/mdlayher/socketv0.5.0// indirect`
`368`		`-github.com/microcosm-cc/bluemondayv1.0.27// indirect`
	`368`	`+github.com/microcosm-cc/bluemondayv1.0.27`
`369`	`369`	`github.com/miekg/dnsv1.1.57// indirect`
`370`	`370`	`github.com/mitchellh/copystructurev1.2.0// indirect`
`371`	`371`	`github.com/mitchellh/go-homedirv1.1.0// indirect`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit812d72c

File tree

5 files changed

5 files changed

`‎coderd/util/strings/strings.go‎`

`‎coderd/util/strings/strings_test.go‎`

`‎coderd/workspaceagents.go‎`

`‎codersdk/toolsdk/toolsdk.go‎`

`‎go.mod‎`

0 commit comments