From 3c873afa2b7837964beb0a3c5052b26a060fc4b7 Mon Sep 17 00:00:00 2001
From: Ace Nassri <anassri@google.com>
Date: Wed, 31 Oct 2018 14:53:39 -0700
Subject: [PATCH] Fix XSS issue

---
 functions/helloworld/index.js           |  3 ++-
 functions/helloworld/package.json       |  1 +
 functions/helloworld/test/index.test.js | 11 +++++++++++
 functions/http/index.js                 |  4 +++-
 functions/http/package.json             |  1 +
 functions/http/test/index.test.js       | 13 +++++++++++++
 6 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/functions/helloworld/index.js b/functions/helloworld/index.js
index 468347f97e..a65905f9e1 100644
--- a/functions/helloworld/index.js
+++ b/functions/helloworld/index.js
@@ -16,6 +16,7 @@
 'use strict';
 
 const Buffer = require('safe-buffer').Buffer;
+const escapeHtml = require('escape-html');
 
 // [START functions_helloworld_get]
 /**
@@ -44,7 +45,7 @@ exports.helloGET = (req, res) => {
  */
 // [START functions_tips_terminate]
 exports.helloHttp = (req, res) => {
-  res.send(`Hello ${req.body.name || 'World'}!`);
+  res.send(`Hello ${escapeHtml(req.body.name || 'World')}!`);
 };
 // [END functions_helloworld_http]
 
diff --git a/functions/helloworld/package.json b/functions/helloworld/package.json
index 3f654f20f6..29334db8d0 100644
--- a/functions/helloworld/package.json
+++ b/functions/helloworld/package.json
@@ -20,6 +20,7 @@
   },
   "dependencies": {
     "@google-cloud/debug-agent": "2.4.0",
+    "escape-html": "^1.0.3",
     "pug": "2.0.3",
     "safe-buffer": "5.1.1"
   },
diff --git a/functions/helloworld/test/index.test.js b/functions/helloworld/test/index.test.js
index 360d5945d4..c0d58d7e76 100644
--- a/functions/helloworld/test/index.test.js
+++ b/functions/helloworld/test/index.test.js
@@ -71,6 +71,17 @@ test.cb(`helloHttp: should print hello world`, (t) => {
     .end(t.end);
 });
 
+test.cb.serial(`helloHttp: should escape XSS`, (t) => {
+  supertest(BASE_URL)
+    .post(`/helloHttp`)
+    .send({ name: '<script>alert(1)</script>' })
+    .expect(200)
+    .expect((response) => {
+      t.false(response.text.includes('<script>'));
+    })
+    .end(t.end);
+});
+
 test(`helloBackground: should print a name`, async (t) => {
   const data = JSON.stringify({name: 'John'});
   const output = await tools.runAsync(`${baseCmd} call helloBackground --data '${data}'`);
diff --git a/functions/http/index.js b/functions/http/index.js
index 2cdabb8471..dc434936b4 100644
--- a/functions/http/index.js
+++ b/functions/http/index.js
@@ -16,6 +16,8 @@
 'use strict';
 
 // [START functions_http_content]
+const escapeHtml = require('escape-html');
+
 /**
  * Responds to an HTTP request using data from the request body parsed according
  * to the "content-type" header.
@@ -48,7 +50,7 @@ exports.helloContent = (req, res) => {
       break;
   }
 
-  res.status(200).send(`Hello ${name || 'World'}!`);
+  res.status(200).send(`Hello ${escapeHtml(name || 'World')}!`);
 };
 // [END functions_http_content]
 
diff --git a/functions/http/package.json b/functions/http/package.json
index b5f23e97d4..a2e5a0432d 100644
--- a/functions/http/package.json
+++ b/functions/http/package.json
@@ -26,6 +26,7 @@
   "dependencies": {
     "@google-cloud/storage": "1.7.0",
     "busboy": "^0.2.14",
+    "escape-html": "^1.0.3",
     "safe-buffer": "5.1.1"
   },
   "cloud-repo-tools": {
diff --git a/functions/http/test/index.test.js b/functions/http/test/index.test.js
index 30da5d54fe..9a5492b3e8 100644
--- a/functions/http/test/index.test.js
+++ b/functions/http/test/index.test.js
@@ -167,6 +167,19 @@ test.serial(`http:helloContent: should handle other`, (t) => {
   t.deepEqual(mocks.res.send.firstCall.args[0], `Hello World!`);
 });
 
+test.serial(`http:helloContent: should escape XSS`, (t) => {
+  const mocks = getMocks();
+  const httpSample = getSample();
+  mocks.req.headers[`content-type`] = `text/plain`;
+  mocks.req.body = { name: `<script>alert(1)</script>` };
+  httpSample.sample.helloContent(mocks.req, mocks.res);
+
+  t.true(mocks.res.status.calledOnce);
+  t.is(mocks.res.status.firstCall.args[0], 200);
+  t.true(mocks.res.send.calledOnce);
+  t.false(mocks.res.send.firstCall.args[0].includes('<script>'));
+});
+
 test.serial(`http:cors: should respond to preflight request (no auth)`, (t) => {
   const mocks = getMocks();
   const httpSample = getSample();