Merge pull request #1131 from InseeFr/fix/security-again

Fix/security again
InseeFr · Jan 22, 2025 · 432e5ec · 432e5ec
2 parents 53bbca8 + b767afb
commit 432e5ec
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/src/packages/modules-operations/msd/documents/documents-bloc/document-list-item.tsx b/src/packages/modules-operations/msd/documents/documents-bloc/document-list-item.tsx
@@ -16,6 +16,18 @@ export const DocumentAsideInformation = ({
 	);
 };
 
+const validateUri = (uri: string): string => {
+	try {
+		const url = new URL(uri, window.location.origin);
+		if (url.protocol === 'http:' || url.protocol === 'https:') {
+			return url.href;
+		}
+		throw new Error('Invalid protocol');
+	} catch {
+		throw new Error('Invalid baseURI' + uri);
+	}
+};
+
 export const DocumentLink = ({
 	document,
 	localPrefix,
@@ -25,9 +37,15 @@ export const DocumentLink = ({
 	localPrefix: 'Lg1' | 'Lg2';
 	baseURI: string;
 }>) => {
-	const id = document.uri.substr(document.uri.lastIndexOf('/') + 1);
+	if (!document.uri) {
+		return null;
+	}
+
+	const safeBaseURI = validateUri(baseURI);
+
+	const id = document.uri.substring(document.uri.lastIndexOf('/') + 1);
 	const uri = isDocument(document)
-		? `${baseURI}/documents/document/${id}/file`
+		? `${safeBaseURI}documents/document/${encodeURIComponent(id)}/file`
 		: document.url;
 
 	const label =

diff --git a/src/packages/modules-operations/msd/documents/documents-bloc/index.spec.jsx b/src/packages/modules-operations/msd/documents/documents-bloc/index.spec.jsx
@@ -9,8 +9,8 @@ import { DocumentsBloc } from './index';
 
 const documents = [
 	{
-		uri: 'uri1-bis',
-		url: 'http:/google.fr?q=url-1',
+		uri: 'http://uri1-bis.fr',
+		url: 'http://google.fr?q=url-1',
 		updatedDate: '2019-03-04T10:00:00.000Z',
 		labelLg1: 'B labelLg1-0',
 		labelLg2: 'B labelLg2-0',
@@ -22,8 +22,8 @@ const documents = [
 		)}`,
 	},
 	{
-		uri: 'uri2-bis',
-		url: 'http:/google.fr?q=url-2',
+		uri: 'http://uri2-bis.fr',
+		url: 'http://google.fr?q=url-2',
 		updatedDate: '2019-04-04T10:00:00.000Z',
 		labelLg1: 'A labelLg1-1',
 		labelLg2: 'A labelLg2-1',
@@ -34,8 +34,8 @@ const documents = [
 		)}`,
 	},
 	{
-		uri: 'uri3-bis',
-		url: 'http:/google.fr?q=url-2',
+		uri: 'http://uri3-bis.fr',
+		url: 'http://google.fr?q=url-2',
 		labelLg1: 'Z labelLg1-2',
 		labelLg2: 'Z labelLg2-2',
 		lang: 'fr',

diff --git a/src/packages/modules-operations/msd/pages/sims-visualisation/sims-block-richtext.spec.jsx b/src/packages/modules-operations/msd/pages/sims-visualisation/sims-block-richtext.spec.jsx
@@ -18,24 +18,24 @@ const documents = {
 		{
 			labelLg1: 'Page 1',
 			labelLg2: 'Page 2',
-			uri: '/page/1',
+			uri: 'http://page/1',
 		},
 		{
 			labelLg1: 'Document 1',
 			labelLg2: 'Document 2',
-			uri: '/document/1',
+			uri: 'http://document/1',
 		},
 	],
 	documentsLg2: [
 		{
 			labelLg1: 'Page 1',
 			labelLg2: 'Page 2',
-			uri: '/page/1',
+			uri: 'http://page/1',
 		},
 		{
 			labelLg1: 'Document 1',
 			labelLg2: 'Document 2',
-			uri: '/document/1',
+			uri: 'http://document/1',
 		},
 	],
 };