From 551e2a2770b8079e2141a6b4728a7b96ae33ae50 Mon Sep 17 00:00:00 2001
From: Bryan Clark <clarkbw@github.com>
Date: Tue, 10 Dec 2019 09:26:51 -0800
Subject: [PATCH] sanitzie XML characters

---
 __tests__/auth.test.ts |  18 ++++++++++++++++++
 dist/index.js          | Bin 157938 -> 158179 bytes
 src/auth.ts            |  15 ++++++++++++---
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/__tests__/auth.test.ts b/__tests__/auth.test.ts
index 3fa739c..7134e5c 100644
--- a/__tests__/auth.test.ts
+++ b/__tests__/auth.test.ts
@@ -82,4 +82,22 @@ describe('auth tests', () => {
     expect(fs.existsSync(m2Dir)).toBe(false);
     expect(fs.existsSync(settingsFile)).toBe(false);
   }, 100000);
+
+  it('escapes invalid XML inputs', () => {
+    const id = 'packages';
+    const username = 'bluebottle';
+    const password = '&<>"\'\'"><&';
+
+    expect(auth.generate(id, username, password)).toEqual(`
+  <settings>
+      <servers>
+        <server>
+          <id>${id}</id>
+          <username>${username}</username>
+          <password>&amp;&lt;&gt;&quot;&apos;&apos;&quot;&gt;&lt;&amp;</password>
+        </server>
+      </servers>
+  </settings>
+  `);
+  });
 });
diff --git a/dist/index.js b/dist/index.js
index 7d9c7bb1b3304b693ee25dae641e091ea1d90009..c7b1f986e251ef46b80e725ac2b5ef0c6a671f10 100644
GIT binary patch
delta 297
zcmex#k@N9o&W0AoElgGX^=YMf$t9Wjc?zk;$%zH25xzbeWr;bZshSGaTna!?lv+|+
zl&1g|0}Frz^@>spauSnMHT2c=({&Wo)e>_HtkpHK$lE~Vb4svF+XX=6({acvL8J>y
z^KmFphuU9|UktRtnyYqtB|p<VUW8{dQ#7Yb3NXnEBZNweQ;YHvb5k{^+X*l!BS{n_
S78jT27o})!&lF(li~s;X#8r0y

delta 78
zcmaESne)>{&W0AoElgGX)4c?k=Bj6=)Y|B0rr2>Qz=2I^acWUsVs5IPN;Ql*T}6;d
UnWG@FxVSvOC}n$;AX8@q02mP&+W-In

diff --git a/src/auth.ts b/src/auth.ts
index 1001b2c..ca43c20 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -27,15 +27,24 @@ export async function configAuthentication(
   }
 }
 
+function escapeXML(value: string) {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
 // only exported for testing purposes
 export function generate(id: string, username: string, password: string) {
   return `
   <settings>
       <servers>
         <server>
-          <id>${id}</id>
-          <username>${username}</username>
-          <password>${password}</password>
+          <id>${escapeXML(id)}</id>
+          <username>${escapeXML(username)}</username>
+          <password>${escapeXML(password)}</password>
         </server>
       </servers>
   </settings>