Merge pull request #955 from rocket-admin/backend_masterpassword_error_filering

feat: add HTML escaping for primary key values

Author: Artuomka

backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts

@@ -319,6 +319,23 @@ export class TableActionActivationService {
     return primaryKeyValuesArray;
   }
 
+  private escapePrimaryKeyValuesArray(array: Array<Record<string, unknown>>): Array<Record<string, unknown>> {
+    return array.map((record) => {
+      const escapedRecord: Record<string, unknown> = {};
+      for (const key in record) {
+        if (record.hasOwnProperty(key)) {
+          const escapedKey = escapeHtml(key);
+          // eslint-disable-next-line security/detect-object-injection
+          const value = record[key];
+          const escapedValue = typeof value === 'string' ? escapeHtml(value) : value;
+          // eslint-disable-next-line security/detect-object-injection
+          escapedRecord[escapedKey] = escapedValue;
+        }
+      }
+      return escapedRecord;
+    });
+  }
+
   private generateMessageContent(
     userInfo: UserInfoMessageData,
     triggerOperation: TableActionEventEnum,
@@ -334,8 +351,9 @@ export class TableActionActivationService {
           : triggerOperation === TableActionEventEnum.DELETE_ROW
             ? 'deleted a row'
             : 'performed an action';
+    primaryKeyValuesArray = this.escapePrimaryKeyValuesArray(primaryKeyValuesArray);        
     const textContent = `${userName ? escapeHtml(userName) : 'User'} (email: ${email}, user id: ${userId}) has ${action} in the table "${escapeHtml(tableName)}".`;
-    const testContentWithPrimaryKeys = `${textContent} Primary Keys: ${escapeHtml(JSON.stringify(primaryKeyValuesArray))}`;
+    const testContentWithPrimaryKeys = `${textContent} Primary Keys: ${JSON.stringify(primaryKeyValuesArray)}`;
     const htmlContent = `<!doctype html>
 <html>
   <head>
@@ -437,7 +455,7 @@ table[class=body] .article {
                     <tr>
                       <td style="font-family: sans-serif; font-size: 14px; vertical-align: top;" valign="top">
                         <p style="font-size: 18px; font-weight: normal; margin: 0; margin-bottom: 15px;">${textContent}</p>
-                        <p style="font-size: 18px; font-weight: normal; margin: 0; margin-bottom: 15px;">Primary Keys: ${escapeHtml(JSON.stringify(primaryKeyValuesArray))}</p>
+                        <p style="font-size: 18px; font-weight: normal; margin: 0; margin-bottom: 15px;">Primary Keys: ${JSON.stringify(primaryKeyValuesArray)}</p>
                       </td>
                     </tr>
                     <tr>

backend/src/exceptions/all-exceptions.filter.ts

@@ -2,6 +2,7 @@ import { ArgumentsHost, Catch, ExceptionFilter, HttpException, HttpStatus } from
 import { Logger } from '../helpers/logging/Logger.js';
 import { processExceptionMessage } from './utils/process-exception-message.js';
 import Sentry from '@sentry/minimal';
+import { Messages } from './text/messages.js';
 
 @Catch()
 export class AllExceptionsFilter implements ExceptionFilter {
@@ -29,9 +30,17 @@ export class AllExceptionsFilter implements ExceptionFilter {
       Logger.logError(exception);
     }
 
+    const ifErrorMasterPwdMissing = text === Messages.MASTER_PASSWORD_MISSING;
+    const ifErrorMasterPwdIncorrect = text === Messages.MASTER_PASSWORD_INCORRECT;
+    const masterPwdErrorType = ifErrorMasterPwdMissing
+      ? 'no_master_key'
+      : ifErrorMasterPwdIncorrect
+        ? 'invalid_master_key'
+        : undefined;
+
     response.status(status).json({
       message: text ? text : 'Something went wrong',
-      type: type ? type : undefined,
+      type: type ? type : masterPwdErrorType,
       statusCode: status,
       timestamp: new Date().toISOString(),
       path: request.url,