Merge branch 'develop' into sdp-sep-wallet-registration

# Conflicts:
#	helmchart/sdp/README.md

Author: marwen-abid

CHANGELOG.md

@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ## [Unreleased]
 
+### Fixed
+
+- Fix HTML validation to allow apostrophes in invitation messages while maintaining security against XSS attacks [#930](https://github.com/stellar/stellar-disbursement-platform-backend/pull/930)
+
+## [5.0.0](https://github.com/stellar/stellar-disbursement-platform-backend/releases/tag/5.0.0) ([diff](https://github.com/stellar/stellar-disbursement-platform-backend/compare/4.1.0...5.0.0))
+
 ### Added
 
 - Improve observability for the SDP service by adding the following : 
@@ -15,7 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
   - [#818](https://github.com/stellar/stellar-disbursement-platform-backend/pull/818)
 - Add organization level MFA and ReCAPTCHA settings [#861](https://github.com/stellar/stellar-disbursement-platform-backend/pull/861)
 - Add trustlines for distribution account when provisioning tenant [#891](https://github.com/stellar/stellar-disbursement-platform-backend/pull/891)
-- Add support contract account disbursements [#922](https://github.com/stellar/stellar-disbursement-platform-backend/pull/922)
+- Add support for contract account disbursements [#922](https://github.com/stellar/stellar-disbursement-platform-backend/pull/922)
 - Add contract account support for direct payments [#924](https://github.com/stellar/stellar-disbursement-platform-backend/pull/924)
 - Add support for contract addresses for PATCH receiver [#925](https://github.com/stellar/stellar-disbursement-platform-backend/pull/925)
 - Mark tx failures due to archived entries as error [#926](https://github.com/stellar/stellar-disbursement-platform-backend/pull/926)
@@ -24,6 +30,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - Decommissioned Event Broker Kafka support in favor of Scheduler for background jobs. [#914](https://github.com/stellar/stellar-disbursement-platform-backend/pull/914)
 - Allow configuring `resources` limits and requests for services in the Helm charts [#904](https://github.com/stellar/stellar-disbursement-platform-backend/pull/904)
 - Enable short linking by default [#916](https://github.com/stellar/stellar-disbursement-platform-backend/pull/916)
+- Make POST /wallets and PATCH /wallets permissions consistent [#909](https://github.com/stellar/stellar-disbursement-platform-backend/pull/909)
 
 ## [4.1.0](https://github.com/stellar/stellar-disbursement-platform-backend/releases/tag/4.1.0) ([diff](https://github.com/stellar/stellar-disbursement-platform-backend/compare/4.0.1...4.1.0))
 

helmchart/sdp/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: stellar-disbursement-platform
 description: A Helm chart for the Stellar Disbursement Platform Backend (A.K.A. `sdp`)
-version: "4.1.1"
-appVersion: "4.1.0"
+version: "5.0.0"
+appVersion: "5.0.0"
 type: application
 maintainers:
   - name: Stellar Development Foundation

helmchart/sdp/README.md

@@ -196,7 +196,7 @@ Configuration parameters for the SDP Core Service which is the core backend serv
 | `sdp.image`                                                             | Configuration related to the Docker image used by the SDP service.                                                                                    |                                                 |
 | `sdp.image.repository`                                                  | Docker image repository for the SDP backend service.                                                                                                  | `stellar/stellar-disbursement-platform-backend` |
 | `sdp.image.pullPolicy`                                                  | Image pull policy for the SDP service. For locally built images, consider using "Never" or "IfNotPresent".                                            | `Always`                                        |
-| `sdp.image.tag`                                                         | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`.                                              | `4.1.0`                                         |
+| `sdp.image.tag`                                                         | Docker image tag for the SDP service. If set, this overrides the default value from `.Chart.AppVersion`.                                              | `5.0.0`                                         |
 | `sdp.deployment`                                                        | Configuration related to the deployment of the SDP service.                                                                                           |                                                 |
 | `sdp.deployment.annotations`                                            | Annotations to be added to the deployment.                                                                                                            | `nil`                                           |
 | `sdp.deployment.podAnnotations`                                         | Annotations specific to the pods.                                                                                                                     | `{}`                                            |
@@ -327,7 +327,7 @@ Configuration parameters for the Dashboard. This is the user interface administr
 | `dashboard.route.mtnDomain`                      | Public domain/address of the multi-tenant Dashboard. This is a wild-card domain used for multi-tenant setups e.g. "*.sdp-dashboard.localhost.com". | `nil`                                                  |
 | `dashboard.route.port`                           | Primary port on which the Dashboard listens.                                                                                                       | `80`                                                   |
 | `dashboard.image`                                | Configuration related to the Docker image used by the Dashboard.                                                                                   |                                                        |
-| `dashboard.image.fullName`                       | Full name of the Docker image.                                                                                                                     | `stellar/stellar-disbursement-platform-frontend:4.1.0` |
+| `dashboard.image.fullName`                       | Full name of the Docker image.                                                                                                                     | `stellar/stellar-disbursement-platform-frontend:5.0.0` |
 | `dashboard.image.pullPolicy`                     | Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent".                                           | `Always`                                               |
 | `dashboard.deployment`                           | Configuration related to the deployment of the Dashboard.                                                                                          |                                                        |
 | `dashboard.deployment.annotations`               | Annotations to be added to the deployment.                                                                                                         | `{}`                                                   |

helmchart/sdp/values.yaml

@@ -135,7 +135,7 @@ sdp:
   image:
     repository: stellar/stellar-disbursement-platform-backend
     pullPolicy: Always
-    tag: "4.1.0"
+    tag: "5.0.0"
 
   ## @extra sdp.deployment Configuration related to the deployment of the SDP service.
   ## @param sdp.deployment.annotations Annotations to be added to the deployment.
@@ -450,7 +450,7 @@ dashboard:
   ## @param dashboard.image.fullName Full name of the Docker image.
   ## @param dashboard.image.pullPolicy Image pull policy for the dashboard. For locally built images, consider using "Never" or "IfNotPresent".
   image:
-    fullName: stellar/stellar-disbursement-platform-frontend:4.1.0
+    fullName: stellar/stellar-disbursement-platform-frontend:5.0.0
     pullPolicy: Always
 
   ## @extra dashboard.deployment Configuration related to the deployment of the Dashboard.

internal/utils/validation.go

@@ -19,8 +19,13 @@ import (
 
 var (
 	// RxPhone is a regex used to validate phone number, according with the E.164 standard https://en.wikipedia.org/wiki/E.164
-	rxPhone                   = regexp.MustCompile(`^\+[1-9]{1}[0-9]{9,14}$`)
-	rxOTP                     = regexp.MustCompile(`^\d{6}$`)
+	rxPhone = regexp.MustCompile(`^\+[1-9]{1}[0-9]{9,14}$`)
+	rxOTP   = regexp.MustCompile(`^\d{6}$`)
+	// Any HTML-like tag: <a ...>, </div>, <STYLE>...</STYLE>, etc.
+	rxHTMLTag = regexp.MustCompile(`(?i)<\s*/?\s*[a-z][a-z0-9]*(\s+[^>]*)?>`)
+	// "javascript:" URL scheme anywhere in the string.
+	rxJSScheme                = regexp.MustCompile(`(?i)\bjavascript\s*:`)
+	rxCSSExpr                 = regexp.MustCompile(`(?i)\bexpression\s*\(`)
 	ErrInvalidE164PhoneNumber = fmt.Errorf("the provided phone number is not a valid E.164 number")
 	ErrEmptyPhoneNumber       = fmt.Errorf("phone number cannot be empty")
 	ErrEmptyEmail             = fmt.Errorf("email field is required")
@@ -216,15 +221,20 @@ func ValidateURLScheme(link string, scheme ...string) error {
 	return nil
 }
 
-// ValidateNoHTML returns an error if the input contains any of the following HTML-related characters: [<, >, &, ', "],
-// either in encoded or decoded form.
-func ValidateNoHTML(input string) error {
-	if escapedStr := html.EscapeString(input); escapedStr != input {
-		return errors.New(`input contains one or more of the following HTML-related charactetes [<, >, &, ', "]`)
+// ValidateNoHTML returns an error if the input contains HTML tags, JavaScript schemes, or CSS expressions,
+// as detected by regular expressions, either in encoded or decoded form.
+func ValidateNoHTML(s string) error {
+	if s == "" {
+		return nil
 	}
 
-	if unescapedStr := html.UnescapeString(input); unescapedStr != input {
-		return errors.New("input contains HTML entities")
+	if rxHTMLTag.MatchString(s) || rxJSScheme.MatchString(s) || rxCSSExpr.MatchString(s) {
+		return errors.New("input contains HTML or active content")
+	}
+
+	unescaped := html.UnescapeString(s)
+	if rxHTMLTag.MatchString(unescaped) || rxJSScheme.MatchString(unescaped) || rxCSSExpr.MatchString(unescaped) {
+		return errors.New("input contains HTML or active content")
 	}
 
 	return nil

internal/utils/validation_test.go

@@ -381,6 +381,25 @@ func Test_ValidateURLScheme(t *testing.T) {
 	}
 }
 
+func Test_ValidateNoHTML_Valid(t *testing.T) {
+	validTestCases := []string{
+		"Hello, World!",
+		"This is a test string with numbers 1234567890.",
+		"Special characters !?#$",
+		"Mixed content: Hello123!@#",
+		"Whitespace    \n\t  ",
+		"This doesn't contain any HTML tags or scripts.",
+		"Text with word expression but not as code.",
+	}
+
+	for i, tc := range validTestCases {
+		t.Run(fmt.Sprintf("valid/%d(%s)", i, tc), func(t *testing.T) {
+			err := ValidateNoHTML(tc)
+			require.NoError(t, err, "ValidateNoHTML(%q) returned an unexpected error: %v", tc, err)
+		})
+	}
+}
+
 func Test_ValidateNoHTML(t *testing.T) {
 	rawHTMLTestCases := []string{
 		"<a href='evil.com'>Click here</a>",

main.go

@@ -13,7 +13,7 @@ import (
 
 // Version is the official version of this application. Whenever it's changed
 // here, it also needs to be updated at the `helmchart/Chart.yaml#appVersion“.
-const Version = "4.1.0"
+const Version = "5.0.0"
 
 // GitCommit is populated at build time by
 // go build -ldflags "-X main.GitCommit=$GIT_COMMIT"