botframework-webchat 4.14.1 → 4.15.0

package/src/renderMarkdown.ts

@@ -57,6 +57,18 @@ const TRANSPARENT_GIF = 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAA
 // This is used for parsing Markdown for external links.
 const internalMarkdownIt = new MarkdownIt();
 
+const MARKDOWN_ATTRS_LEFT_DELIMITER = '⟬';
+// Make sure the delimiter is free from any RegExp characters, such as *, ?, etc.
+// IE11 does not support "u" flag and Babel could not remove it. We intentionally omitting the "u" flag here.
+// eslint-disable-next-line security/detect-non-literal-regexp, require-unicode-regexp
+const MARKDOWN_ATTRS_LEFT_DELIMITER_PATTERN = new RegExp(MARKDOWN_ATTRS_LEFT_DELIMITER, 'g');
+
+const MARKDOWN_ATTRS_RIGHT_DELIMITER = '⟭';
+// Make sure the delimiter is free from any RegExp characters, such as *, ?, etc.
+// IE11 does not support "u" flag and Babel could not remove it. We intentionally omitting the "u" flag here.
+// eslint-disable-next-line security/detect-non-literal-regexp, require-unicode-regexp
+const MARKDOWN_ATTRS_RIGHT_DELIMITER_PATTERN = new RegExp(MARKDOWN_ATTRS_RIGHT_DELIMITER, 'g');
+
 export default function render(
   markdown: string,
   { markdownRespectCRLF }: { markdownRespectCRLF: boolean },
@@ -66,16 +78,37 @@ export default function render(
     markdown = markdown.replace(/\n\r|\r\n/gu, carriageReturn => (carriageReturn === '\n\r' ? '\r\n' : '\n\r'));
   }
 
-  const html = new MarkdownIt({
+  // Related to #3165.
+  // We only support attributes "aria-label" and should leave other attributes as-is.
+  // However, `markdown-it-attrs` remove unrecognized attributes, such as {hello}.
+  // Before passing to `markdown-it-attrs`, we will convert known attributes from {aria-label="..."} into ⟬aria-label="..."⟭ (using white tortoise shell brackets).
+  // Then, we ask `markdown-it-attrs` to only process the new brackets, so it should only try to process things that we allowlisted.
+  // Lastly, we revert tortoise shell brackets back to curly brackets, for unprocessed attributes.
+  markdown = markdown
+    .replace(/\{\s*aria-label()\s*\}/giu, `${MARKDOWN_ATTRS_LEFT_DELIMITER}aria-label${MARKDOWN_ATTRS_RIGHT_DELIMITER}`)
+    .replace(
+      /\{\s*aria-label=("[^"]*"|[^\s}]*)\s*\}/giu,
+      (_, valueInsideQuotes) =>
+        `${MARKDOWN_ATTRS_LEFT_DELIMITER}aria-label=${valueInsideQuotes}${MARKDOWN_ATTRS_RIGHT_DELIMITER}`
+    );
+
+  let html = new MarkdownIt({
     breaks: false,
     html: false,
     linkify: true,
     typographer: true,
     xhtmlOut: true
   })
-    .use(markdownItAttrs)
+    .use(markdownItAttrs, {
+      // `markdown-it-attrs` is added for accessibility and allow bot developers to specify `aria-label`.
+      // We are allowlisting `aria-label` only as it is allowlisted in `sanitize-html`.
+      // Other `aria-*` will be sanitized even we allowlisted here.
+      allowedAttributes: ['aria-label'],
+      leftDelimiter: MARKDOWN_ATTRS_LEFT_DELIMITER,
+      rightDelimiter: MARKDOWN_ATTRS_RIGHT_DELIMITER
+    })
     .use(iterator, 'url_new_win', 'link_open', (tokens, index) => {
-      const token = tokens[index];
+      const token = tokens[+index];
 
       token.attrSet('rel', 'noopener noreferrer');
       token.attrSet('target', '_blank');
@@ -97,8 +130,11 @@ export default function render(
     })
     .render(markdown);
 
+  // Restore attributes not processed by `markdown-it-attrs`.
+  // TODO: [P2] #2511 After we fixed our polyfill story, we should use "String.prototype.replaceAll" instead of RegExp for replace all occurrences.
+  html = html.replace(MARKDOWN_ATTRS_LEFT_DELIMITER_PATTERN, '{').replace(MARKDOWN_ATTRS_RIGHT_DELIMITER_PATTERN, '}');
+
   // The signature from "sanitize-html" module is not correct.
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
   // @ts-ignore
   return sanitizeHTML(html, SANITIZE_HTML_OPTIONS);
 }

package/src/speech/CustomAudioInputStream.ts

@@ -22,6 +22,7 @@ import {
   type as Type
 } from 'microsoft-cognitiveservices-speech-sdk/distrib/lib/src/common.speech/Exports';
 
+import { isForbiddenPropertyName } from 'botframework-webchat-core';
 import { v4 } from 'uuid';
 import createDeferred, { DeferredPromise } from 'p-defer-es5';
 
@@ -88,9 +89,20 @@ abstract class CustomAudioInputStream extends AudioInputStream {
       id: options.id || v4().replace(/-/gu, '')
     };
 
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_DEVICE_INFO_DEFERRED] = createDeferred<DeviceInfo>();
+
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_EVENTS] = new EventSource<AudioSourceEvent>();
+
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_FORMAT_DEFERRED] = createDeferred<AudioStreamFormatImpl>();
+
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_OPTIONS] = normalizedOptions;
   }
 
@@ -101,9 +113,10 @@ abstract class CustomAudioInputStream extends AudioInputStream {
 
   /** Gets the event source for listening to events. */
   // ESLint: This code will only works in browsers other than IE11. Only works in ES5 is okay.
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
   // @ts-ignore Accessors are only available when targeting ECMAScript 5 and higher.ts(1056)
   get events(): EventSource<AudioSourceEvent> {
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     return this[SYMBOL_EVENTS];
   }
 
@@ -114,16 +127,19 @@ abstract class CustomAudioInputStream extends AudioInputStream {
   // Speech SDK quirks: In normal speech recognition, getter of "format" is called only after "attach".
   //                    But in Direct Line Speech, it is called before "attach".
   // ESLint: This code will only works in browsers other than IE11. Only works in ES5 is okay.
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
   // @ts-ignore Accessors are only available when targeting ECMAScript 5 and higher.ts(1056)
   get format(): Promise<AudioStreamFormatImpl> {
     this.debug('Getting "format".');
 
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     return this[SYMBOL_FORMAT_DEFERRED].promise;
   }
 
   /** Gets the ID of this audio stream. */
   id(): string {
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     return this[SYMBOL_OPTIONS].id;
   }
 
@@ -131,6 +147,8 @@ abstract class CustomAudioInputStream extends AudioInputStream {
   // Speech SDK quirks: In JavaScript, onXxx means "listen to event XXX".
   //                    Instead, in Speech SDK, it means "emit event XXX".
   protected onEvent(event: AudioSourceEvent): void {
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_EVENTS].onEvent(event);
     Events.instance.onEvent(event);
   }
@@ -191,7 +209,6 @@ abstract class CustomAudioInputStream extends AudioInputStream {
 
   // Speech SDK quirks: Although "close" is marked as abstract, it is never called in our observations.
   // ESLint: Speech SDK requires this function, but we are not implementing it.
-  // eslint-disable-next-line class-methods-use-this
   close(): void {
     this.debug('Callback for "close".');
 
@@ -215,7 +232,8 @@ abstract class CustomAudioInputStream extends AudioInputStream {
   /** Log the message to console if `debug` is set to `true`. */
   private debug(message, ...args) {
     // ESLint: For debugging, will only log when "debug" is set to "true".
-    // eslint-disable-next-line no-console
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line no-console, security/detect-object-injection
     this[SYMBOL_OPTIONS].debug && console.info(`CustomAudioInputStream: ${message}`, ...args);
   }
 
@@ -240,7 +258,13 @@ abstract class CustomAudioInputStream extends AudioInputStream {
 
         // Although only getter of "format" is called before "attach" (in Direct Line Speech),
         // we are handling both "deviceInfo" and "format" in similar way for uniformity.
+
+        // False alarm: indexer is a constant of type Symbol.
+        // eslint-disable-next-line security/detect-object-injection
         this[SYMBOL_DEVICE_INFO_DEFERRED].resolve(deviceInfo);
+
+        // False alarm: indexer is a constant of type Symbol.
+        // eslint-disable-next-line security/detect-object-injection
         this[SYMBOL_FORMAT_DEFERRED].resolve(
           new AudioStreamFormatImpl(format.samplesPerSec, format.bitsPerSample, format.channels)
         );
@@ -300,21 +324,28 @@ abstract class CustomAudioInputStream extends AudioInputStream {
 
   /** Gets the device information. */
   // ESLint: This code will only works in browsers other than IE11. Only works in ES5 is okay.
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
   // @ts-ignore Accessors are only available when targeting ECMAScript 5 and higher.ts(1056)
   get deviceInfo(): Promise<ISpeechConfigAudioDevice> {
     this.debug(`Getting "deviceInfo".`);
 
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     return Promise.all([this[SYMBOL_DEVICE_INFO_DEFERRED].promise, this[SYMBOL_FORMAT_DEFERRED].promise]).then(
       ([{ connectivity, manufacturer, model, type }, { bitsPerSample, channels, samplesPerSec }]) => ({
         bitspersample: bitsPerSample,
         channelcount: channels,
         connectivity:
-          typeof connectivity === 'string' ? Connectivity[connectivity] : connectivity || Connectivity.Unknown,
+          typeof connectivity === 'string' && !isForbiddenPropertyName(connectivity)
+            ? // Mitigated through denylisting.
+              // eslint-disable-next-line security/detect-object-injection
+              Connectivity[connectivity]
+            : connectivity || Connectivity.Unknown,
         manufacturer: manufacturer || '',
         model: model || '',
         samplerate: samplesPerSec,
-        type: typeof type === 'string' ? Type[type] : type || Type.Unknown
+        // Mitigated through denylisting.
+        // eslint-disable-next-line security/detect-object-injection
+        type: typeof type === 'string' && !isForbiddenPropertyName(type) ? Type[type] : type || Type.Unknown
       })
     );
   }

package/src/speech/createAudioConfig.spec.js

@@ -1,4 +1,4 @@
-/* eslint @typescript-eslint/no-empty-function: "off" */
+/* eslint no-empty-function: "off" */
 
 import createAudioConfig from './createAudioConfig';
 

package/src/speech/createAudioConfig.ts

@@ -43,7 +43,12 @@ class CreateAudioConfigAudioInputStream extends CustomAudioInputStream {
 
     super({ debug });
 
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_ATTACH] = attach;
+
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     this[SYMBOL_TURN_OFF] = turnOff;
   }
 
@@ -55,6 +60,8 @@ class CreateAudioConfigAudioInputStream extends CustomAudioInputStream {
     deviceInfo: DeviceInfo;
     format: Format;
   }> {
+    // False alarm: indexer is a constant of type Symbol.
+    // eslint-disable-next-line security/detect-object-injection
     return this[SYMBOL_ATTACH](audioNodeId);
   }
 

package/.eslintignore

@@ -1 +0,0 @@
-/src/tsconfig.json