From 0a5945afb7243b14389db7fb3dc954f7832e1778 Mon Sep 17 00:00:00 2001 From: Mike Kao Date: Wed, 10 Jan 2024 16:55:37 +0000 Subject: [PATCH] logging and eslint fixes. Prevent log injection and properly import as types --- server/index.ts | 19 ++++++++++++++----- server/routes/auth.ts | 5 +++-- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/server/index.ts b/server/index.ts index 3e61d9e9ea..c6727b8e1b 100644 --- a/server/index.ts +++ b/server/index.ts @@ -35,6 +35,8 @@ import next from 'next'; import path from 'path'; import swaggerUi from 'swagger-ui-express'; import YAML from 'yamljs'; +import xss from 'xss'; +import validator from 'validator'; const API_SPEC_PATH = path.join(__dirname, '../overseerr-api.yml'); @@ -45,12 +47,19 @@ const handle = app.getRequestHandler(); const logMiddleware = (req: Request, res: Response, next: NextFunction) => { // Log information about the incoming request - logger.debug(`Request Method: ${req.method}`); - logger.debug(`Request URL: ${req.url}`); - logger.debug(`Request Headers: ${JSON.stringify(req.headers)}`); - logger.debug(`Request Body: ${JSON.stringify(req.body)}`); + logger.debug(`Request Method: ${xss(req.method)}`); + logger.debug(`Request URL: ${xss(req.url)}`); + + const sanitizedHeaders = JSON.stringify(req.headers, (key, value) => + typeof value === 'string' ? validator.escape(value) : value + ); + logger.debug(`Request Headers: ${sanitizedHeaders}`); + + const sanitizedBody = JSON.stringify(req.body, (key, value) => + typeof value === 'string' ? validator.escape(value) : value + ); + logger.debug(`Request Body: ${sanitizedBody}`); - // Continue processing the request next(); }; diff --git a/server/routes/auth.ts b/server/routes/auth.ts index 0fe59a5160..de0832d219 100644 --- a/server/routes/auth.ts +++ b/server/routes/auth.ts @@ -6,14 +6,15 @@ import { Permission } from '@server/lib/permissions'; import { getSettings } from '@server/lib/settings'; import logger from '@server/logger'; import { isAuthenticated } from '@server/middleware/auth'; -import { Router, Request } from 'express'; +import { Router} from 'express'; +import type { Request } from 'express'; /* eslint-disable @typescript-eslint/no-unused-vars */ import { createJwtSchema, getOIDCRedirectUrl, getOIDCWellknownConfiguration, - OIDCJwtPayload, } from '@server/utils/oidc'; +import type { OIDCJwtPayload } from '@server/utils/oidc'; import { randomBytes } from 'crypto'; import gravatarUrl from 'gravatar-url'; import decodeJwt from 'jwt-decode';