[AC-1637] Sanitize Business and Organization Names from html script injection prior to storing in db (#3302)

* [AC-1637] Added HtmlEncodingStringConverter to encode/decode special chars on JSON serialization/deserialization * [AC-1637] Added unit tests for HtmlEncodingStringConverter * [AC-1637] Moved expected values on unit tests to the arrange phase * [AC-1637] Added HtmlEncodingStringConverter to properties that are for input/output of Org Name and Business name * [AC-1637] Modified views in Admin project to decode values to display * [AC-1637] Replaced Html.Raw with HttpUtility.HtmlDecode * [AC-1637] Added JsonConverter to Provider DTOs * [AC-1637] Modified HandlebarsMailService to decode organization name before sending emails * Revert "[AC-1637] Added JsonConverter to Provider DTOs" This reverts commit 94d507cf93. * [AC-1637] Fixed Admin panel organization search * [AC-1637] Sanitizing Organization name and business name on creation in Admin panel * [AC-1637] Sanitizing organization name and business name on creation by a provider * [AC-1637] Sanitizing provider name on creation and on viewing in admin panel * [AC-1637] Added sanitization to more places where Org name is used * [AC-1637] Swapped using HttpUtility for WebUtility since the later is part of the dotnet framework * [AC-1637] Updated error messages * [AC-1637] Decoding on Admin panel add existing organization * [AC-1637] Fix HTML decoding issues * [AC-1637] Refactor HTML decoding in View and Model classes on Admin panel * [AC-1637] Refactor provider name and business name usages to use methods that output decoded values * [AC-1637] Fixed typo * [AC-1637] Renamed Provider methods to retrieve Decoded Name and BusinessName * [AC-1637] Renamed Organization methods to retrieve Decoded Name and BusinessName * [AC-1637] Update the display name method in the `ProviderOrganizationOrganizationDetails` class to `DisplayName()`
2025-06-30 07:36:14 -05:00 · 2024-03-05 10:56:48 +00:00
parent 997af0f6ab
commit 9d59e4dc9e
49 changed files with 312 additions and 79 deletions
--- a/test/Core.Test/Utilities/HtmlEncodingStringConverterTests.cs
+++ b/test/Core.Test/Utilities/HtmlEncodingStringConverterTests.cs
@ -0,0 +1,89 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Bit.Core.Utilities;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities;
+
+public class HtmlEncodingStringConverterTests
+{
+    [Fact]
+    public void Serialize_WhenEncodedValueIsNotNull_SerializesHtmlEncodedString()
+    {
+        // Arrange
+        var obj = new HtmlEncodedString
+        {
+            EncodedValue = "This is &lt;b&gt;bold&lt;/b&gt;",
+            NonEncodedValue = "This is <b>bold</b>"
+        };
+        const string expectedJsonString = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
+
+        // This is necessary to prevent the serializer from double encoding the string
+        var serializerOptions = new JsonSerializerOptions
+        {
+            Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
+        };
+
+        // Act
+        var jsonString = JsonSerializer.Serialize(obj, serializerOptions);
+
+        // Assert
+        Assert.Equal(expectedJsonString, jsonString);
+    }
+
+    [Fact]
+    public void Serialize_WhenEncodedValueIsNull_SerializesNull()
+    {
+        // Arrange
+        var obj = new HtmlEncodedString
+        {
+            EncodedValue = null,
+            NonEncodedValue = null
+        };
+        const string expectedJsonString = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
+
+        // Act
+        var jsonString = JsonSerializer.Serialize(obj);
+
+        // Assert
+        Assert.Equal(expectedJsonString, jsonString);
+    }
+
+    [Fact]
+    public void Deserialize_WhenJsonContainsHtmlEncodedString_ReturnsDecodedString()
+    {
+        // Arrange
+        const string json = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
+        const string expectedEncodedValue = "This is &lt;b&gt;bold&lt;/b&gt;";
+        const string expectedNonEncodedValue = "This is <b>bold</b>";
+
+        // Act
+        var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
+
+        // Assert
+        Assert.Equal(expectedEncodedValue, obj.EncodedValue);
+        Assert.Equal(expectedNonEncodedValue, obj.NonEncodedValue);
+    }
+
+    [Fact]
+    public void Deserialize_WhenJsonContainsNull_ReturnsNull()
+    {
+        // Arrange
+        const string json = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
+
+        // Act
+        var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
+
+        // Assert
+        Assert.Null(obj.EncodedValue);
+        Assert.Null(obj.NonEncodedValue);
+    }
+}
+
+public class HtmlEncodedString
+{
+    [JsonConverter(typeof(HtmlEncodingStringConverter))]
+    public string EncodedValue { get; set; }
+
+    public string NonEncodedValue { get; set; }
+}