Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion AI/ocr/server/onReceiptAdded.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,23 @@ import { ReceiptProcessor } from "./ReceiptProcessor";

require('isomorphic-fetch');

// Microsoft Graph sends an opaque, URL-safe validationToken when a subscription is
// created and expects it echoed back verbatim as text/plain. The value is attacker
// influenceable, so strip anything outside the token's known-safe character set
// before reflecting it. This is a no-op for legitimate tokens (base64url/base64)
// while removing the characters needed for reflected cross-site scripting.
const sanitizeValidationToken = (value: unknown): string =>
String(value).replace(/[^A-Za-z0-9._~+/=\- ]/g, '');

export const onReceiptAdded = async (req: Request, res: Response) => {
const validationToken = req.query['validationToken'];
if (validationToken) {
res.status(200).type('text/plain').send(String(validationToken));
const safeValidationToken = sanitizeValidationToken(validationToken);
res
.status(200)
.type('text/plain')
.set('X-Content-Type-Options', 'nosniff')
.send(safeValidationToken);
return;
}

Expand Down