Escape username and password in wss (#1107)

Christian Holm · web-flow · commit cd8a852c97df · 2020-02-25T14:10:40.000-07:00
diff --git a/src/security/WSSecurity.ts b/src/security/WSSecurity.ts
@@ -1,7 +1,7 @@
 
 import * as crypto from 'crypto';
 import { ISecurity } from '../types';
-import { passwordDigest } from '../utils';
+import { passwordDigest, xmlEscape } from '../utils';
 
 const validPasswordTypes = ['PasswordDigest', 'PasswordText'];
 
@@ -87,7 +87,7 @@ export class WSSecurity implements ISecurity {
       nonce = nHash.digest('base64');
     }
     if (this._passwordType === 'PasswordText') {
-      password = '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' + this._password + '</wsse:Password>';
+      password = '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' + xmlEscape(this._password) + '</wsse:Password>';
       if (nonce) {
         password += '<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">' + nonce + '</wsse:Nonce>';
       }
@@ -103,7 +103,7 @@ export class WSSecurity implements ISecurity {
       'xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">' +
       timeStampXml +
       '<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-' + created + '">' +
-      '<wsse:Username>' + this._username + '</wsse:Username>' +
+      '<wsse:Username>' + xmlEscape(this._username) + '</wsse:Username>' +
       password +
       (this._hasTokenCreated ? '<wsu:Created>' + created + '</wsu:Created>' : '') +
       '</wsse:UsernameToken>' +
diff --git a/src/utils.ts b/src/utils.ts
@@ -48,3 +48,19 @@ export function splitQName<T>(nsName: T) {
     name: topLevelName.substring(prefixOffset + 1),
   };
 }
+
+export function xmlEscape(obj) {
+  if (typeof (obj) === 'string') {
+    if (obj.substr(0, 9) === '<![CDATA[' && obj.substr(-3) === ']]>') {
+      return obj;
+    }
+    return obj
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&apos;');
+  }
+
+  return obj;
+}
diff --git a/src/wsdl/index.ts b/src/wsdl/index.ts
@@ -16,29 +16,13 @@ import * as url from 'url';
 import { HttpClient } from '../http';
 import { NamespaceContext } from '../nscontext';
 import { IOptions } from '../types';
-import { findPrefix, splitQName, TNS_PREFIX } from '../utils';
+import { findPrefix, splitQName, TNS_PREFIX, xmlEscape } from '../utils';
 import * as elements from './elements';
 
 const debug = debugBuilder('node-soap');
 
 const XSI_URI = 'http://www.w3.org/2001/XMLSchema-instance';
 
-function xmlEscape(obj) {
-  if (typeof (obj) === 'string') {
-    if (obj.substr(0, 9) === '<![CDATA[' && obj.substr(-3) === ']]>') {
-      return obj;
-    }
-    return obj
-      .replace(/&/g, '&amp;')
-      .replace(/</g, '&lt;')
-      .replace(/>/g, '&gt;')
-      .replace(/"/g, '&quot;')
-      .replace(/'/g, '&apos;');
-  }
-
-  return obj;
-}
-
 const trimLeft = /^[\s\xA0]+/;
 const trimRight = /[\s\xA0]+$/;
 
diff --git a/test/security/WSSecurity.js b/test/security/WSSecurity.js
@@ -39,8 +39,8 @@ describe('WSSecurity', function() {
   });
 
   it('should insert a WSSecurity when postProcess is called', function() {
-    var username = 'myUser';
-    var password = 'myPass';
+    var username = 'my&User';
+    var password = 'my&Pass';
     var options = {
       passwordType: 'PassWordText',
       hasNonce: true,
@@ -59,10 +59,10 @@ describe('WSSecurity', function() {
     xml.should.containEql('<wsse:UsernameToken ');
     xml.should.containEql('xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" ');
     xml.should.containEql('wsu:Id="SecurityToken-');
-    xml.should.containEql('<wsse:Username>myUser</wsse:Username>');
+    xml.should.containEql('<wsse:Username>my&amp;User</wsse:Username>');
     xml.should.containEql('<wsse:Password ');
     xml.should.containEql('Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">');
-    xml.should.containEql('myPass</wsse:Password>');
+    xml.should.containEql('my&amp;Pass</wsse:Password>');
     xml.should.containEql('<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">');
     xml.should.containEql('</wsse:Nonce>');
     xml.should.containEql('<wsu:Created>');
