Fix security related problems (#1522)

* Remove unnecessary capture group from regex Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Rename component to make name more expressive Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Remove redundant expression Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Filter vbscript links Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Remove superfluous parameter Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Check if handler is set Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> * Fix doc Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-04-04 18:07:03 +00:00 · 2021-10-01 22:51:57 +02:00 · 2021-10-01 22:51:57 +02:00 · 87d6285da5
commit 87d6285da5
parent 0e512531a0
8 changed files with 17 additions and 11 deletions
--- a/src/components/common/routing/note-direct-link-redirector.tsx
+++ b/src/components/common/routing/note-direct-link-redirector.tsx
@ -15,9 +15,12 @@ interface RouteParameters {
  id: string
 }

-export const Redirector: React.FC = () => {
+/**
+ * Redirects the user to the editor if the link is a root level direct link to a version 1 note.
+ */
+export const NoteDirectLinkRedirector: React.FC = () => {
  const { id } = useParams<RouteParameters>()
-  const [error, setError] = useState<boolean | null>(null)
+  const [error, setError] = useState<boolean | undefined>(undefined)

  useEffect(() => {
    getNote(id)
@ -25,9 +28,9 @@ export const Redirector: React.FC = () => {
      .catch(() => setError(true))
  }, [id])

-  if (error) {
+  if (error === true) {
    return <NotFoundErrorScreen />
-  } else if (!error && error != null) {
+  } else if (error === false) {
    return <Redirect to={`/n/${id}`} />
  } else {
    return <span>Loading</span>
--- a/src/components/editor-page/editor-pane/autocompletion/code-block.ts
+++ b/src/components/editor-page/editor-pane/autocompletion/code-block.ts
@ -12,7 +12,7 @@ import { Logger } from '../../../../utils/logger'
 type highlightJsImport = typeof import('../../../common/hljs/hljs')

 const log = new Logger('Autocompletion > CodeBlock')
-const wordRegExp = /^```((\w|-|_|\+)*)$/
+const wordRegExp = /^```((?:\w|-|_|\+)*)$/
 let allSupportedLanguages: string[] = []

 /**
--- a/src/components/editor-page/editor-pane/autocompletion/container.ts
+++ b/src/components/editor-page/editor-pane/autocompletion/container.ts
@ -8,7 +8,7 @@ import { Editor, Hint, Hints, Pos } from 'codemirror'
 import { validAlertLevels } from '../../../markdown-renderer/markdown-it-plugins/alert-container'
 import { findWordAtCursor, Hinter } from './index'

-const wordRegExp = /^:::((\w|-|_|\+)*)$/
+const wordRegExp = /^:::((?:\w|-|_|\+)*)$/
 const spoilerSuggestion: Hint = {
  text: ':::spoiler Toggle label\nToggled content\n::: \n',
  displayText: 'spoiler'
--- a/src/components/markdown-renderer/replace-components/link-replacer/link-replacer.tsx
+++ b/src/components/markdown-renderer/replace-components/link-replacer/link-replacer.tsx
@ -36,7 +36,7 @@ export class LinkReplacer extends ComponentReplacer {
    const url = node.attribs.href.trim()

    // eslint-disable-next-line no-script-url
-    if (url.startsWith('data:') || url.startsWith('javascript:')) {
+    if (url.startsWith('data:') || url.startsWith('javascript:') || url.startsWith('vbscript:')) {
      return <span>{node.attribs.href}</span>
    }

--- a/src/components/markdown-renderer/utils/html-react-transformer.tsx
+++ b/src/components/markdown-renderer/utils/html-react-transformer.tsx
@ -96,7 +96,7 @@ export const buildTransformer = (
      return convertNodeToReactElement(node, index)
    }
    const nativeRenderer: NativeRenderer = () => renderNativeNode(node, key, transform)
-    const subNodeTransform: SubNodeTransform = (subNode, subKey) => transform(subNode, subKey, transform)
+    const subNodeTransform: SubNodeTransform = (subNode, subKey) => transform(subNode, subKey)

    const key = calculateKeyFromLineMarker(node, lineKeys) ?? (-index).toString()
    const tryReplacement = findNodeReplacement(node, allReplacers, subNodeTransform, nativeRenderer)
--- a/src/components/render-page/window-post-message-communicator/window-post-message-communicator.ts
+++ b/src/components/render-page/window-post-message-communicator/window-post-message-communicator.ts
@ -121,6 +121,9 @@ export abstract class WindowPostMessageCommunicator<
  protected handleEvent(event: MessageEvent<PostMessage<RECEIVE_TYPE>>): boolean | undefined {
    const data = event.data

+    if (!(data.type in this.handlers)) {
+      return true
+    }
    const handler = this.handlers[data.type]
    if (!handler) {
      return true
--- a/src/index.tsx
+++ b/src/index.tsx
@ -10,7 +10,7 @@ import { Provider } from 'react-redux'
 import { BrowserRouter as Router, Redirect, Route, Switch } from 'react-router-dom'
 import { ApplicationLoader } from './components/application-loader/application-loader'
 import { NotFoundErrorScreen } from './components/common/routing/not-found-error-screen'
-import { Redirector } from './components/common/routing/redirector'
+import { NoteDirectLinkRedirector } from './components/common/routing/note-direct-link-redirector'
 import { ErrorBoundary } from './components/error-boundary/error-boundary'
 import { HistoryPage } from './components/history-page/history-page'
 import { IntroPage } from './components/intro-page/intro-page'
@ -83,7 +83,7 @@ ReactDOM.render(
              <DocumentReadOnlyPage />
            </Route>
            <Route path='/:id'>
-              <Redirector />
+              <NoteDirectLinkRedirector />
            </Route>
            <Route path='/'>
              <Redirect to='/intro' />
--- a/src/redux/note-details/reducer.ts
+++ b/src/redux/note-details/reducer.ts
@ -158,7 +158,7 @@ const generateNoteTitle = (frontmatter: NoteFrontmatter, firstHeading?: string)
  ) {
    return (frontmatter?.opengraph.get('title') ?? firstHeading ?? '').trim()
  } else {
-    return (firstHeading ?? firstHeading ?? '').trim()
+    return (firstHeading ?? '').trim()
  }
 }