Merge pull request #167 from NearSocial/release-2.5.5

evgenykuzyakov · web-flow · commit d8eb1674cca9 · 2024-01-08T13:42:19.000-08:00
## 2.5.5

- FIX: Restrict attributes of `Files` component to a whitelist. Reported by BrunoModificato from OtterSec.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.5.5
+
+- FIX: Restrict attributes of `Files` component to a whitelist. Reported by BrunoModificato from OtterSec.
+
 ## 2.5.4
 
 - Added optional `commitModalBypass` feature config. When the `<CommitButton />` component is used inside of a widget with a matching `src` prop, the `CommitModal` will be bypassed and `onCommit()` will be called instantly when the button is clicked. If for some reason the requested transaction is invalid, the `CommitModal` will still appear to show an error message to the user. View example below to see configuration options.
diff --git a/dist/index.js b/dist/index.js
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "near-social-vm",
-  "version": "2.5.4",
+  "version": "2.5.5",
   "description": "Near Social VM",
   "main": "dist/index.js",
   "files": [
diff --git a/src/lib/vm/vm.js b/src/lib/vm/vm.js
@@ -413,6 +413,31 @@ const requirePattern = (id) => {
   }
 };
 
+const FilesComponentWhitelist = [
+  "key",
+  "name",
+  "className",
+  "onChange",
+  "onError",
+  "accepts",
+  "multiple",
+  "clickable",
+  "maxFiles",
+  "maxFileSize",
+  "minFileSize",
+  "dragActiveClassName",
+];
+
+const filterFilesAttributes = (attributes) => {
+  const filteredAttributes = {};
+  FilesComponentWhitelist.forEach((key) => {
+    if (attributes.hasOwnProperty(key)) {
+      filteredAttributes[key] = attributes[key];
+    }
+  });
+  return filteredAttributes;
+};
+
 class Stack {
   constructor(prevStack, state) {
     this.prevStack = prevStack;
@@ -688,7 +713,7 @@ class VmStack {
             accepts={["image/*"]}
             minFileSize={1}
             clickable
-            {...attributes}
+            {...filterFilesAttributes(attributes)}
           >
             {status.img?.uploading ? (
               <>{Loading} Uploading</>
@@ -701,7 +726,7 @@ class VmStack {
         </div>
       );
     } else if (element === "Files") {
-      return <Files {...attributes}>{children}</Files>;
+      return <Files {...filterFilesAttributes(attributes)}>{children}</Files>;
     } else if (element === "iframe") {
       return <SecureIframe {...attributes} />;
     } else if (element === "Web3Connect") {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "near-social-vm",`
`3`		`- "version": "2.5.4",`
	`3`	`+ "version": "2.5.5",`
`4`	`4`	`"description": "Near Social VM",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"files": [`