From fd3220dd33fd539192e38a6b587ef30f78a90b24 Mon Sep 17 00:00:00 2001 From: Richard Yu Date: Fri, 9 Sep 2022 15:13:56 -0400 Subject: [PATCH] clean up validator --- components/amorphic/HISTORY.md | 4 +++- components/amorphic/README.md | 16 ++++++++-------- components/amorphic/lib/utils/InputValidator.ts | 4 ++-- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/components/amorphic/HISTORY.md b/components/amorphic/HISTORY.md index cbb8ae13..429c199c 100644 --- a/components/amorphic/HISTORY.md +++ b/components/amorphic/HISTORY.md @@ -1,3 +1,5 @@ +## 11.0.1 +* Small update to change wording to allowlist and denylist ## 11.0.0 * BREAKING CHANGES: With this upgrade we have changed the way logger is used by amorphic. In the past, clients passed @@ -10,7 +12,7 @@ * A new `setApiContextMiddleware` middleware is also introduced to allow client passed loggers run some middleware code on server calls. This middleware may also have different functionalities that can be controlled using a new boolean `generateAmorphicServerLogContextIfMissing` config. ## 10.3.0 -* Add validator middleware to express server, config settings for whitelist, blacklist, escape +* Add validator middleware to express server, config settings for allowlist, denylist, escape ## 10.2.1 * bump nconf version due to security vulnerability. ## 10.2.0 diff --git a/components/amorphic/README.md b/components/amorphic/README.md index 563fc814..0f67a392 100644 --- a/components/amorphic/README.md +++ b/components/amorphic/README.md @@ -76,23 +76,23 @@ The Amorphic server has validation middleware that will validate requests coming There are four fields to put in the config.json for the amorphic app. These fields are: ``` - validatorAllowList: characters that are allowed in the request, a white list - validatorDenyList: characters that are not allowed in the request, a black list - validatorLog: boolean for logging whenever a request is blacklisted, whitelisted, or has HTML values escaped + validatorAllowList: characters that are allowed in the request + validatorDenyList: characters that are not allowed in the request + validatorLog: boolean for logging whenever a request is denylisted, allowlisted, or has HTML values escaped validatorEscapeHTML: boolean for allowing HTML characters to be escaped ``` -The whitelist and blacklist fields follow the format here: https://www.npmjs.com/package/validator +The allowlist and denylist fields follow the format here: https://www.npmjs.com/package/validator -The whitelist field is especially dangerous to use as it will only allow characters that match the format to pass the validator. +The allowlist field is especially dangerous to use as it will only allow characters that match the format to pass the validator. -The blacklist field also has certain characters that should not be blocked, such as '-', as that will most likely corrupt the amorphic message and cause problems. +The denylist field also has certain characters that should not be blocked, such as '-', as that will most likely corrupt the amorphic message and cause problems. -The order that this validation is performed is blacklist, escape, whitelist. +The order that this validation is performed is denylist, escape, allowlist. The config.json found for the amorphic postgres unit test found here: components/amorphic/test/postgres/apps/test/config.json, contains examples of how these fields should be used. -There is also a counter under statsd for 'amorphic.server.validator.whitelist.counter', 'amorphic.server.validator.blacklist.counter', and 'amorphic.server.validator.escape.counter' that will count the times requests are blacklisted, whitelisted, or escaped. +There is also a counter under statsd for 'amorphic.server.validator.allowlist.counter', 'amorphic.server.validator.denylist.counter', and 'amorphic.server.validator.escape.counter' that will count the times requests are denylisted, allowlisted, or escaped. ## Testing diff --git a/components/amorphic/lib/utils/InputValidator.ts b/components/amorphic/lib/utils/InputValidator.ts index a5261487..f527f930 100644 --- a/components/amorphic/lib/utils/InputValidator.ts +++ b/components/amorphic/lib/utils/InputValidator.ts @@ -103,13 +103,13 @@ export class InputValidator { const validatorEscapeHTML = getBoolean(appConfig.appConfig.validatorEscapeHTML); if (denyList) { - value = this.logAndCounterValue(value, validator.blacklist(value, denyList), validatorLog, 'blacklist', { denyList: denyList }); + value = this.logAndCounterValue(value, validator.blacklist(value, denyList), validatorLog, 'denylist', { denyList: denyList }); } if (validatorEscapeHTML) { value = this.logAndCounterValue(value, validator.escape(value), validatorLog, 'escape', {}); } if (allowList) { - value = this.logAndCounterValue(value, validator.whitelist(value, allowList), validatorLog, 'whitelist', { allowList: allowList }); + value = this.logAndCounterValue(value, validator.whitelist(value, allowList), validatorLog, 'allowlist', { allowList: allowList }); } return value;