From 9f2cbaafc1fbae74303ef8b478677a9a46d0d385 Mon Sep 17 00:00:00 2001
From: Matthias Kretschmann <m@kretschmann.io>
Date: Mon, 31 Jan 2022 13:08:07 +0000
Subject: [PATCH] XSS fix (#1031)

* tweak file URL input
* algo form
* publish fixes
---
 .../molecules/FormFields/URLInput/Input.tsx   | 19 ++++++++++--
 src/utils/metadata.ts                         | 31 ++++++++++++++++---
 2 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/src/components/molecules/FormFields/URLInput/Input.tsx b/src/components/molecules/FormFields/URLInput/Input.tsx
index 4d3d1c6dd..386e5ef60 100644
--- a/src/components/molecules/FormFields/URLInput/Input.tsx
+++ b/src/components/molecules/FormFields/URLInput/Input.tsx
@@ -1,9 +1,10 @@
-import React, { ReactElement } from 'react'
+import React, { ReactElement, useEffect, useState } from 'react'
 import Button from '../../../atoms/Button'
 import { FieldInputProps, useField } from 'formik'
 import Loader from '../../../atoms/Loader'
 import styles from './Input.module.css'
 import InputGroup from '../../../atoms/Input/InputGroup'
+import isUrl from 'is-url-superb'
 
 export default function URLInput({
   submitText,
@@ -17,6 +18,20 @@ export default function URLInput({
 }): ReactElement {
   const [field, meta] = useField(props as FieldInputProps<any>)
 
+  const [isButtonDisabled, setIsButtonDisabled] = useState(true)
+
+  useEffect(() => {
+    if (!field?.value) return
+
+    setIsButtonDisabled(
+      !field?.value ||
+        field.value === '' ||
+        !isUrl(field.value) ||
+        field.value.includes('javascript:') ||
+        meta?.error
+    )
+  }, [field?.value, meta?.error])
+
   return (
     <InputGroup>
       <input
@@ -30,7 +45,7 @@ export default function URLInput({
         style="primary"
         size="small"
         onClick={(e: React.SyntheticEvent) => e.preventDefault()}
-        disabled={!field.value}
+        disabled={isButtonDisabled}
       >
         {isLoading ? <Loader /> : submitText}
       </Button>
diff --git a/src/utils/metadata.ts b/src/utils/metadata.ts
index 0a8ebada4..87fe9388f 100644
--- a/src/utils/metadata.ts
+++ b/src/utils/metadata.ts
@@ -9,7 +9,7 @@ import {
 import { toStringNoMS } from '.'
 import AssetModel from '../models/Asset'
 import slugify from '@sindresorhus/slugify'
-import { DDO, MetadataAlgorithm, Logger } from '@oceanprotocol/lib'
+import { DDO, File, MetadataAlgorithm, Logger } from '@oceanprotocol/lib'
 
 export function transformTags(value: string): string[] {
   const originalTags = value?.split(',')
@@ -113,6 +113,18 @@ export function transformPublishFormToMetadata(
 ): MetadataMarket {
   const currentTime = toStringNoMS(new Date())
 
+  const filesTransformed = typeof files !== 'string' &&
+    files?.length && [
+      {
+        ...(files as File[])[0],
+        url: (files as File[])[0].url.replace('javascript:', '')
+      }
+    ]
+  const linksTransformed = typeof links !== 'string' &&
+    links?.length && [
+      { ...links[0], url: links[0].url.replace('javascript:', '') }
+    ]
+
   const metadata: MetadataMarket = {
     main: {
       ...AssetModel.main,
@@ -120,14 +132,14 @@ export function transformPublishFormToMetadata(
       author,
       dateCreated: ddo ? ddo.created : currentTime,
       datePublished: '',
-      files: typeof files !== 'string' && files,
+      files: filesTransformed,
       license: 'https://market.oceanprotocol.com/terms'
     },
     additionalInformation: {
       ...AssetModel.additionalInformation,
       description,
       tags: transformTags(tags),
-      links: typeof links !== 'string' ? links : [],
+      links: linksTransformed,
       termsAndConditions
     }
   }
@@ -212,7 +224,8 @@ export function transformPublishAlgorithmFormToMetadata(
   ddo?: DDO
 ): MetadataMarket {
   const currentTime = toStringNoMS(new Date())
-  const fileUrl = typeof files !== 'string' && files[0].url
+  const fileUrl =
+    typeof files !== 'string' && files[0].url.replace('javascript:', '')
   const algorithmLanguage = getAlgorithmFileExtension(fileUrl)
   const algorithm = getAlgorithmComponent(
     image,
@@ -220,6 +233,14 @@ export function transformPublishAlgorithmFormToMetadata(
     entrypoint,
     algorithmLanguage
   )
+  const filesTransformed = typeof files !== 'string' &&
+    files?.length && [
+      {
+        ...(files as File[])[0],
+        url: (files as File[])[0].url.replace('javascript:', '')
+      }
+    ]
+
   const metadata: MetadataMarket = {
     main: {
       ...AssetModel.main,
@@ -227,7 +248,7 @@ export function transformPublishAlgorithmFormToMetadata(
       type: 'algorithm',
       author,
       dateCreated: ddo ? ddo.created : currentTime,
-      files: typeof files !== 'string' && files,
+      files: filesTransformed,
       license: 'https://market.oceanprotocol.com/terms',
       algorithm
     },