UI: Security patch (#12229)

## Addresses [confidential/2940](https://github.com/fleetdm/confidential/issues/2940) Patched a potential security issue in UI # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-11-06 00:45:19 +00:00 · 2023-06-08 13:13:27 -04:00 · 2023-06-08 13:13:27 -04:00 · 1c18765dfa
commit 1c18765dfa
parent c36e3ec4b0
4 changed files with 21 additions and 2 deletions
--- a/changes/security-patch
+++ b/changes/security-patch
@ -0,0 +1 @@
+* Patched a potential security issue
--- a/frontend/components/TooltipWrapper/TooltipWrapper.tsx
+++ b/frontend/components/TooltipWrapper/TooltipWrapper.tsx
@ -1,6 +1,8 @@
 import classnames from "classnames";
 import React from "react";

+import * as DOMPurify from "dompurify";
+
 interface ITooltipWrapperProps {
  children: string;
  tipContent: string;
@ -23,6 +25,8 @@ const TooltipWrapper = ({
    ? `${baseClass}__tip-text delayed-tip`
    : `${baseClass}__tip-text`;

+  const sanitizedTipContent = DOMPurify.sanitize(tipContent);
+
  return (
    <div className={classname} data-position={position}>
      <div className={`${baseClass}__element`}>
@ -31,7 +35,7 @@ const TooltipWrapper = ({
      </div>
      <div
        className={tipClass}
-        dangerouslySetInnerHTML={{ __html: tipContent }}
+        dangerouslySetInnerHTML={{ __html: sanitizedTipContent }}
      />
    </div>
  );
--- a/package.json
+++ b/package.json
@ -18,10 +18,12 @@
    "build-storybook": "storybook build"
  },
  "dependencies": {
+    "@types/dompurify": "3.0.2",
    "ace-builds": "1.4.12",
    "axios": "1.2.3",
    "core-js": "3.25.1",
    "date-fns": "2.28.0",
+    "dompurify": "3.0.3",
    "es6-object-assign": "1.1.0",
    "es6-promise": "4.2.8",
    "express": "4.17.3",
--- a/yarn.lock
+++ b/yarn.lock
@ -3333,6 +3333,13 @@
  resolved "https://registry.yarnpkg.com/@types/doctrine/-/doctrine-0.0.3.tgz#e892d293c92c9c1d3f9af72c15a554fbc7e0895a"
  integrity sha512-w5jZ0ee+HaPOaX25X2/2oGR/7rgAQSYII7X7pp0m9KgBfMP7uKfMfTvcpl5Dj+eDBbpxKGiqE+flqDr6XTd2RA==

+"@types/dompurify@^3.0.2":
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-3.0.2.tgz#c1cd33a475bc49c43c2a7900e41028e2136a4553"
+  integrity sha512-YBL4ziFebbbfQfH5mlC+QTJsvh0oJUrWbmxKMyEdL7emlHJqGR2Qb34TEFKj+VCayBvjKy3xczMFNhugThUsfQ==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/ejs@^3.1.1":
  version "3.1.2"
  resolved "https://registry.yarnpkg.com/@types/ejs/-/ejs-3.1.2.tgz#75d277b030bc11b3be38c807e10071f45ebc78d9"
@ -3780,7 +3787,7 @@
  resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.2.tgz#6286b4c7228d58ab7866d19716f3696e03a09397"
  integrity sha512-Q5vtl1W5ue16D+nIaW8JWebSSraJVlK+EthKn7e7UcD4KWsaSJ8BqGPXNaPghgtcn/fhvrN17Tv8ksUsQpiplw==

-"@types/trusted-types@^2.0.2":
+"@types/trusted-types@*", "@types/trusted-types@^2.0.2":
  version "2.0.3"
  resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.3.tgz#a136f83b0758698df454e328759dbd3d44555311"
  integrity sha512-NfQ4gyz38SL8sDNrSixxU2Os1a5xcdFxipAFxYEuLUlvU2uDwS4NUpsImcf1//SlWItCVMMLiylsxbmNMToV/g==
@ -6653,6 +6660,11 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.0:
  dependencies:
    domelementtype "^2.2.0"

+dompurify@^3.0.3:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.3.tgz#4b115d15a091ddc96f232bcef668550a2f6f1430"
+  integrity sha512-axQ9zieHLnAnHh0sfAamKYiqXMJAVwu+LM/alQ7WDagoWessyWvMSFyW65CqF3owufNu8HBcE4cM2Vflu7YWcQ==
+
 domutils@^2.5.2, domutils@^2.8.0:
  version "2.8.0"
  resolved "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz"