admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-16 09:36:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Prevent XSS in user update endpoints (#10338)

Browse Source
This commit is contained in:
Iván Ovejero
2024-08-12 10:06:15 +02:00
committed by GitHub
parent 4f392b5e3e
commit 78984986a6
3 changed files with 69 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
packages/cli/src/controllers/me.controller.ts
View File

@@ -6,7 +6,7 @@ import { randomBytes } from 'crypto';
import { AuthService } from '@/auth/auth.service';
import { Delete, Get, Patch, Post, RestController } from '@/decorators';
import { PasswordUtility } from '@/services/password.utility';
import { validateEntity } from '@/GenericHelpers';
import { validateEntity, validateRecordNoXss } from '@/GenericHelpers';
import type { User } from '@db/entities/User';
import {
AuthenticatedRequest,
@@ -176,6 +176,8 @@ export class MeController {
throw new BadRequestError('Personalization answers are mandatory');
}
await validateRecordNoXss(personalizationAnswers);
await this.userRepository.save(
{
id: req.user.id,
@@ -237,6 +239,9 @@ export class MeController {
const payload = plainToInstance(UserSettingsUpdatePayload, req.body, {
excludeExtraneousValues: true,
});
await validateEntity(payload);
const { id } = req.user;
await this.userService.updateSettings(id, payload);