[AC-1637] Sanitize Business and Organization Names from html script injection prior to storing in db (#3302)

* [AC-1637] Added HtmlEncodingStringConverter to encode/decode special chars on JSON serialization/deserialization * [AC-1637] Added unit tests for HtmlEncodingStringConverter * [AC-1637] Moved expected values on unit tests to the arrange phase * [AC-1637] Added HtmlEncodingStringConverter to properties that are for input/output of Org Name and Business name * [AC-1637] Modified views in Admin project to decode values to display * [AC-1637] Replaced Html.Raw with HttpUtility.HtmlDecode * [AC-1637] Added JsonConverter to Provider DTOs * [AC-1637] Modified HandlebarsMailService to decode organization name before sending emails * Revert "[AC-1637] Added JsonConverter to Provider DTOs" This reverts commit 94d507cf93. * [AC-1637] Fixed Admin panel organization search * [AC-1637] Sanitizing Organization name and business name on creation in Admin panel * [AC-1637] Sanitizing organization name and business name on creation by a provider * [AC-1637] Sanitizing provider name on creation and on viewing in admin panel * [AC-1637] Added sanitization to more places where Org name is used * [AC-1637] Swapped using HttpUtility for WebUtility since the later is part of the dotnet framework * [AC-1637] Updated error messages * [AC-1637] Decoding on Admin panel add existing organization * [AC-1637] Fix HTML decoding issues * [AC-1637] Refactor HTML decoding in View and Model classes on Admin panel * [AC-1637] Refactor provider name and business name usages to use methods that output decoded values * [AC-1637] Fixed typo * [AC-1637] Renamed Provider methods to retrieve Decoded Name and BusinessName * [AC-1637] Renamed Organization methods to retrieve Decoded Name and BusinessName * [AC-1637] Update the display name method in the `ProviderOrganizationOrganizationDetails` class to `DisplayName()`
2025-07-03 09:02:48 -05:00 · 2024-03-05 10:56:48 +00:00
parent 997af0f6ab
commit 9d59e4dc9e
49 changed files with 312 additions and 79 deletions
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@ -257,7 +257,7 @@ public class ProviderService : IProviderService

                await _providerUserRepository.ReplaceAsync(providerUser);
                events.Add((providerUser, EventType.ProviderUser_Confirmed, null));
-                await _mailService.SendProviderConfirmedEmailAsync(provider.Name, user.Email);
+                await _mailService.SendProviderConfirmedEmailAsync(provider.DisplayName(), user.Email);
                result.Add(Tuple.Create(providerUser, ""));
            }
            catch (BadRequestException e)
@ -331,7 +331,7 @@ public class ProviderService : IProviderService
                var email = user == null ? providerUser.Email : user.Email;
                if (!string.IsNullOrWhiteSpace(email))
                {
-                    await _mailService.SendProviderUserRemoved(provider.Name, email);
+                    await _mailService.SendProviderUserRemoved(provider.DisplayName(), email);
                }

                result.Add(Tuple.Create(providerUser, ""));
@ -586,7 +586,7 @@ public class ProviderService : IProviderService
        var nowMillis = CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow);
        var token = _dataProtector.Protect(
            $"ProviderUserInvite {providerUser.Id} {providerUser.Email} {nowMillis}");
-        await _mailService.SendProviderInviteEmailAsync(provider.Name, providerUser, token, providerUser.Email);
+        await _mailService.SendProviderInviteEmailAsync(provider.DisplayName(), providerUser, token, providerUser.Email);
    }

    private async Task<bool> HasConfirmedProviderAdminExceptAsync(Guid providerId, IEnumerable<Guid> providerUserIds)
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@ -26,6 +26,7 @@ using IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
+using AuthenticationSchemes = Bit.Core.AuthenticationSchemes;
 using DIM = Duende.IdentityServer.Models;

 namespace Bit.Sso.Controllers;
@ -483,7 +484,7 @@ public class AccountController : Controller
            if (orgUser.Status == OrganizationUserStatusType.Invited)
            {
                // Org User is invited - they must manually accept the invite via email and authenticate with MP
-                throw new Exception(_i18nService.T("UserAlreadyInvited", email, organization.Name));
+                throw new Exception(_i18nService.T("UserAlreadyInvited", email, organization.DisplayName()));
            }

            // Accepted or Confirmed - create SSO link and return;
@ -516,7 +517,7 @@ public class AccountController : Controller
                        await _organizationService.AdjustSeatsAsync(orgId, initialSeatCount - organization.Seats.Value, prorationDate);
                    }
                    _logger.LogInformation(e, "SSO auto provisioning failed");
-                    throw new Exception(_i18nService.T("NoSeatsAvailable", organization.Name));
+                    throw new Exception(_i18nService.T("NoSeatsAvailable", organization.DisplayName()));
                }
            }
        }