update sanitization

ensdomains · Jun 7, 2024 · 5e9c9ce · 5e9c9ce
1 parent 8b326ed
commit 5e9c9ce
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 11 deletions.
diff --git a/src/service/avatar.ts b/src/service/avatar.ts
@@ -13,7 +13,7 @@ import {
  OPENSEA_API_KEY 
 } from '../config';
 import { abortableFetch } from '../utils/abortableFetch';
-import isSvg from '../utils/isSVG';
+import isSvg from '../utils/isSvg';
 
 const window = new JSDOM('').window;
 
@@ -50,13 +50,11 @@ export class AvatarMetadata {
  avtResolver: AvatarResolver;
  constructor(provider: JsonRpcProvider, uri: string) {
  this.defaultProvider = provider;
- this.avtResolver = new AvatarResolver(provider, 
- {
- ipfs: IPFS_GATEWAY, 
- apiKey: { opensea: OPENSEA_API_KEY },
- urlDenyList: [ 'metadata.ens.domains' ]
- }
- );
+ this.avtResolver = new AvatarResolver(provider, {
+ ipfs: IPFS_GATEWAY,
+ apiKey: { opensea: OPENSEA_API_KEY },
+ urlDenyList: ['metadata.ens.domains'],
+ });
  this.uri = uri;
  }
 
@@ -73,7 +71,10 @@ export class AvatarMetadata {
  if (typeof error === 'string') {
  console.log(`${this.uri} - error:`, error);
  }
- throw new RetrieveURIFailed(`Error fetching avatar: Provided url or NFT source is broken.`, 404);
+ throw new RetrieveURIFailed(
+ `Error fetching avatar: Provided url or NFT source is broken.`,
+ 404
+ );
  }
 
  if (!avatarURI) {
@@ -94,7 +95,9 @@ export class AvatarMetadata {
 
  if (mimeType?.includes('svg') || isSvg(data.toString())) {
  const DOMPurify = createDOMPurify(window);
- const cleanData = DOMPurify.sanitize(data.toString());
+ const cleanData = DOMPurify.sanitize(data.toString(), {
+ FORBID_TAGS: ['a', 'area', 'base', 'iframe', 'link'],
+ });
  return [Buffer.from(cleanData), mimeType];
  }
 

diff --git a/src/utils/isSvg.ts b/src/utils/isSvg.ts
@@ -0,0 +1,39 @@
+// @ref: https://github.com/sindresorhus/is-svg
+// @ref: https://github.com/sindresorhus/is-svg/pull/38
+import {XMLParser, XMLValidator} from 'fast-xml-parser';
+
+export default function isSvg(data: string) {
+ if (typeof data !== 'string') {
+ throw new TypeError(`Expected a \`string\`, got \`${typeof data}\``);
+ }
+
+ data = data.toLowerCase().trim();
+
+ if (data.length === 0) {
+ return false;
+ }
+
+ // Has to be `!==` as it can also return an object with error info.
+ if (XMLValidator.validate(data) !== true) {
+ return false;
+ }
+
+ let jsonObject;
+ const parser = new XMLParser();
+
+ try {
+ jsonObject = parser.parse(data);
+ } catch {
+ return false;
+ }
+
+ if (!jsonObject) {
+ return false;
+ }
+
+ if (!('svg' in jsonObject)) {
+ return false;
+ }
+
+ return true;
+}
diff --git a/src/utils/rateLimiter.ts b/src/utils/rateLimiter.ts
@@ -18,7 +18,7 @@ if (REDIS_URL) {
 
  const opts = {
  storeClient: redisClient,
- points: 20, // Number of total points
+ points: 40, // Number of total points
  duration: 2, // Per second(s)
  execEvenly: false, // Do not delay actions evenly
  blockDuration: 0, // Do not block the caller if consumed more than points