security: patch footer icon self-xss from privledged user

server/models/systemSettings.js

@@ -2,6 +2,7 @@ process.env.NODE_ENV === "development"
   ? require("dotenv").config({ path: `.env.${process.env.NODE_ENV}` })
   : require("dotenv").config();
 
+const { isValidUrl } = require("../utils/http");
 const prisma = require("../utils/prisma");
 
 const SystemSettings = {
@@ -18,8 +19,10 @@ const SystemSettings = {
   validations: {
     footer_data: (updates) => {
       try {
-        const array = JSON.parse(updates);
-        return JSON.stringify(array.slice(0, 3)); // max of 3 items in footer.
+        const array = JSON.parse(updates)
+          .filter((setting) => isValidUrl(setting.url))
+          .slice(0, 3); // max of 3 items in footer.
+        return JSON.stringify(array);
       } catch (e) {
         console.error(`Failed to run validation function on footer_data`);
         return JSON.stringify([]);

server/utils/http/index.js

@@ -68,6 +68,15 @@ function safeJsonParse(jsonString, fallback = null) {
   return fallback;
 }
 
+function isValidUrl(urlString = "") {
+  try {
+    const url = new URL(urlString);
+    if (!["http:", "https:"].includes(url.protocol)) return false;
+    return true;
+  } catch (e) {}
+  return false;
+}
+
 module.exports = {
   reqBody,
   multiUserMode,
@@ -77,4 +86,5 @@ module.exports = {
   userFromSession,
   parseAuthHeader,
   safeJsonParse,
+  isValidUrl,
 };