From 4b69237cd264f5162bdf223774409cd58bbd8e88 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 12:55:25 +0300 Subject: [PATCH 01/12] feat: support reading from websockets --- src/runtime/server/middleware/xssValidator.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/runtime/server/middleware/xssValidator.ts b/src/runtime/server/middleware/xssValidator.ts index 3a52de6c..404bf862 100644 --- a/src/runtime/server/middleware/xssValidator.ts +++ b/src/runtime/server/middleware/xssValidator.ts @@ -27,14 +27,17 @@ export default defineEventHandler(async(event) => { const valueToFilter = event.node.req.method === 'GET' ? getQuery(event) + : event.node.req.headers['upgrade'] === "websocket" + ? event.node.req.socket.read().toString('utf8') : event.node.req.headers['content-type']?.includes( 'multipart/form-data' ) ? await readMultipartFormData(event) : await readBody(event) // Fix for problems when one middleware is returning an error and it is catched in the next - if (valueToFilter && Object.keys(valueToFilter).length) { + if (valueToFilter && (typeof valueToFilter === "object" && Object.keys(valueToFilter).length || valueToFilter.length) { if ( + typeof valueToFilter === "object" valueToFilter.statusMessage && valueToFilter.statusMessage !== 'Bad Request' ) { From e5b07e4bbb9e5212aabb85110f0262d69ae92630 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:00:21 +0300 Subject: [PATCH 02/12] fix: parenthesis --- src/runtime/server/middleware/xssValidator.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/server/middleware/xssValidator.ts b/src/runtime/server/middleware/xssValidator.ts index 404bf862..20273dd4 100644 --- a/src/runtime/server/middleware/xssValidator.ts +++ b/src/runtime/server/middleware/xssValidator.ts @@ -35,7 +35,7 @@ export default defineEventHandler(async(event) => { ? await readMultipartFormData(event) : await readBody(event) // Fix for problems when one middleware is returning an error and it is catched in the next - if (valueToFilter && (typeof valueToFilter === "object" && Object.keys(valueToFilter).length || valueToFilter.length) { + if (valueToFilter && (typeof valueToFilter === "object" && Object.keys(valueToFilter).length || valueToFilter.length)) { if ( typeof valueToFilter === "object" valueToFilter.statusMessage && From 8f895a3c3f0780a9ddf07b052a1a6170848fd6e3 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:10:41 +0300 Subject: [PATCH 03/12] fix: && --- src/runtime/server/middleware/xssValidator.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/server/middleware/xssValidator.ts b/src/runtime/server/middleware/xssValidator.ts index 20273dd4..005ca282 100644 --- a/src/runtime/server/middleware/xssValidator.ts +++ b/src/runtime/server/middleware/xssValidator.ts @@ -37,7 +37,7 @@ export default defineEventHandler(async(event) => { // Fix for problems when one middleware is returning an error and it is catched in the next if (valueToFilter && (typeof valueToFilter === "object" && Object.keys(valueToFilter).length || valueToFilter.length)) { if ( - typeof valueToFilter === "object" + typeof valueToFilter === "object" && valueToFilter.statusMessage && valueToFilter.statusMessage !== 'Bad Request' ) { From eb2a554398fdce2108bdeff1de2534db3ed67dac Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:56:10 +0300 Subject: [PATCH 04/12] Create socket-io.ts --- test/fixtures/xss/server/plugins/socket-io.ts | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 test/fixtures/xss/server/plugins/socket-io.ts diff --git a/test/fixtures/xss/server/plugins/socket-io.ts b/test/fixtures/xss/server/plugins/socket-io.ts new file mode 100644 index 00000000..0471a43c --- /dev/null +++ b/test/fixtures/xss/server/plugins/socket-io.ts @@ -0,0 +1,43 @@ +import { Server as Engine } from 'engine.io' +import { Server } from 'socket.io' + +export default defineNitroPlugin((nitroApp) => { + const engine = new Engine() + const io = new Server({ + cookie: { + name: 'io', + httpOnly: true, + sameSite: 'lax', + }, + }) + + io.bind(engine) + io.of('/').on('connection', (socket) => { + socket.on('id:req', async (cb: (response: { id: string } | { error: string }) => void) => { + console.log('requested ID') + cb({ id: 'some-id' }) + }) + }) + + nitroApp.router.use('/socket.io/', defineEventHandler({ + handler(event) { + engine.handleRequest(event.node.req, event.node.res) + event._handled = true + }, + websocket: { + open(peer) { + const nodeContext = peer.ctx.node + const req = nodeContext.req + + // @ts-expect-error private method + engine.prepare(req) + + const rawSocket = nodeContext.req.socket + const websocket = nodeContext.ws + + // @ts-expect-error private method + engine.onWebSocket(req, rawSocket, websocket) + }, + }, + })) +}) From 6cb6e3973919d3b10665741e330c7f53992b9083 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:56:35 +0300 Subject: [PATCH 05/12] Create tsconfig.json --- test/fixtures/xss/server/tsconfig.json | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 test/fixtures/xss/server/tsconfig.json diff --git a/test/fixtures/xss/server/tsconfig.json b/test/fixtures/xss/server/tsconfig.json new file mode 100644 index 00000000..b9ed69c1 --- /dev/null +++ b/test/fixtures/xss/server/tsconfig.json @@ -0,0 +1,3 @@ +{ + "extends": "../.nuxt/tsconfig.server.json" +} From 00d262f27e81999c4dd0afafd3c01b644b170f2b Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:57:31 +0300 Subject: [PATCH 06/12] Create socket.client.ts --- test/fixtures/xss/plugins/socket.client.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 test/fixtures/xss/plugins/socket.client.ts diff --git a/test/fixtures/xss/plugins/socket.client.ts b/test/fixtures/xss/plugins/socket.client.ts new file mode 100644 index 00000000..355f339e --- /dev/null +++ b/test/fixtures/xss/plugins/socket.client.ts @@ -0,0 +1,15 @@ +import { io } from 'socket.io-client' + +export default defineNuxtPlugin(async (nuxtApp) => { + const socket = io() + + nuxtApp.provide('socket', socket) + nuxtApp.provide('io', io) +}) + +declare module '#app' { + interface NuxtApp { + $io: typeof import('socket.io-client')['io'] + $socket: ReturnType + } +} From 0e3945c76d794c9adf0512dfc3012dd8780d768f Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 13:59:33 +0300 Subject: [PATCH 07/12] Update package.json --- test/fixtures/xss/package.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/fixtures/xss/package.json b/test/fixtures/xss/package.json index decd4334..6ab65a76 100644 --- a/test/fixtures/xss/package.json +++ b/test/fixtures/xss/package.json @@ -1,5 +1,11 @@ { "private": true, "name": "basic", - "type": "module" + "type": "module", + "dependencies": { + "eiows": "^7.0.3", + "engine.io": "^6.5.4", + "socket.io": "^4.7.5", + "socket.io-client": "^4.7.5", + }, } From 531fb07341cb9834bfa7550a7c05a86f4cc2b136 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 14:00:50 +0300 Subject: [PATCH 08/12] fix: comma --- test/fixtures/xss/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fixtures/xss/package.json b/test/fixtures/xss/package.json index 6ab65a76..9dc7a9bd 100644 --- a/test/fixtures/xss/package.json +++ b/test/fixtures/xss/package.json @@ -7,5 +7,5 @@ "engine.io": "^6.5.4", "socket.io": "^4.7.5", "socket.io-client": "^4.7.5", - }, + } } From aef9671461d128257294bab58be6deae8cc99561 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 14:01:48 +0300 Subject: [PATCH 09/12] Update index.vue --- test/fixtures/xss/pages/index.vue | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/test/fixtures/xss/pages/index.vue b/test/fixtures/xss/pages/index.vue index 8371b274..40911c35 100644 --- a/test/fixtures/xss/pages/index.vue +++ b/test/fixtures/xss/pages/index.vue @@ -1,3 +1,22 @@ + + From 80c9906859abe565d9ba467ecc13bed4ba180e3c Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 14:02:06 +0300 Subject: [PATCH 10/12] Create socket.ts --- test/fixtures/xss/composables/socket.ts | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 test/fixtures/xss/composables/socket.ts diff --git a/test/fixtures/xss/composables/socket.ts b/test/fixtures/xss/composables/socket.ts new file mode 100644 index 00000000..0319ab20 --- /dev/null +++ b/test/fixtures/xss/composables/socket.ts @@ -0,0 +1,9 @@ +export function useSocket(): ReturnType { + const { $socket } = useNuxtApp() + return $socket +} + +export function useIO(): typeof import('socket.io-client')['io'] { + const { $io } = useNuxtApp() + return $io +} From da9ab858e252bfdb6a05d75368d9877bcca50be3 Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 14:03:07 +0300 Subject: [PATCH 11/12] fix: another comma --- test/fixtures/xss/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fixtures/xss/package.json b/test/fixtures/xss/package.json index 9dc7a9bd..8755fe25 100644 --- a/test/fixtures/xss/package.json +++ b/test/fixtures/xss/package.json @@ -6,6 +6,6 @@ "eiows": "^7.0.3", "engine.io": "^6.5.4", "socket.io": "^4.7.5", - "socket.io-client": "^4.7.5", + "socket.io-client": "^4.7.5" } } From 570c558611b051fdce50d7f3587e2143c8b5d79f Mon Sep 17 00:00:00 2001 From: Michael Brevard Date: Thu, 13 Jun 2024 14:48:09 +0300 Subject: [PATCH 12/12] fix: single root element --- test/fixtures/xss/pages/index.vue | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/fixtures/xss/pages/index.vue b/test/fixtures/xss/pages/index.vue index 40911c35..2a97cd95 100644 --- a/test/fixtures/xss/pages/index.vue +++ b/test/fixtures/xss/pages/index.vue @@ -1,9 +1,11 @@