From ef82c47cbbcb36fd4e9765318b2c73e3c70aefe1 Mon Sep 17 00:00:00 2001
From: Marios Kranitsas <marioskranitsas1999@gmail.com>
Date: Mon, 24 Oct 2022 13:55:10 +0300
Subject: [PATCH 1/3] Fix XSS Issue

---
 src/server/index.js | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/server/index.js b/src/server/index.js
index 70590aa8b8..400b1ecfee 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -311,7 +311,22 @@ async function onExpressJsSetup(server) {
    * HTML document (/src/shared/services/__mocks__/data/docu-sign-mock.html)
    * that has two buttons, that do the same redirects, as the real DocuSign
    * page would do on signing / rejecting a document. */
-  server.use('/community-app-assets/api/mock/docu-sign', (req, res) => setTimeout(() => res.send(mockDocuSignFactory(req.query.returnUrl)), 3000));
+  server.use('/community-app-assets/api/mock/docu-sign', (req, res) => {
+    const isValidUrl = (urlString) => {
+      const urlPattern = new RegExp('^(https?:\\/\\/)?'+ // validate protocol
+      '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|'+ // validate domain name
+      '((\\d{1,3}\\.){3}\\d{1,3}))'+ // validate OR ip (v4) address
+      '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*'+ // validate port and path
+      '(\\?[;&a-z\\d%_.~+=-]*)?'+ // validate query string
+      '(\\#[-a-z\\d_]*)?$','i'); // validate fragment locator
+      return !!urlPattern.test(urlString);
+    }
+    if(isValidUrl(req.query.returnUrl)) {
+      return setTimeout(() => res.send(mockDocuSignFactory(req.query.returnUrl)), 3000);
+    } else {
+      res.status(400).send('Invalid return URL')
+    }
+  });
 
   /* TODO:
    * This is a temporary fallback route: some of the assets in the app are not

From 29cfaf68d50f53f9ab5e6071e3fcacca9e6f77b6 Mon Sep 17 00:00:00 2001
From: Marios Kranitsas <marioskranitsas1999@gmail.com>
Date: Mon, 24 Oct 2022 15:09:30 +0300
Subject: [PATCH 2/3] Fixes

---
 src/server/index.js | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/server/index.js b/src/server/index.js
index 400b1ecfee..14603cc57f 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -313,18 +313,18 @@ async function onExpressJsSetup(server) {
    * page would do on signing / rejecting a document. */
   server.use('/community-app-assets/api/mock/docu-sign', (req, res) => {
     const isValidUrl = (urlString) => {
-      const urlPattern = new RegExp('^(https?:\\/\\/)?'+ // validate protocol
-      '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|'+ // validate domain name
-      '((\\d{1,3}\\.){3}\\d{1,3}))'+ // validate OR ip (v4) address
-      '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*'+ // validate port and path
-      '(\\?[;&a-z\\d%_.~+=-]*)?'+ // validate query string
-      '(\\#[-a-z\\d_]*)?$','i'); // validate fragment locator
+      const urlPattern = new RegExp('^(https?:\\/\\/)?'// validate protocol
+      + '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' // validate domain name
+      + '((\\d{1,3}\\.){3}\\d{1,3}))' // validate OR ip (v4) address
+      + '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*'+ // validate port and path
+      + '(\\?[;&a-z\\d%_.~+=-]*)?' // validate query string
+      + '(\\#[-a-z\\d_]*)?$','i'); // validate fragment locator
       return !!urlPattern.test(urlString);
     }
     if(isValidUrl(req.query.returnUrl)) {
       return setTimeout(() => res.send(mockDocuSignFactory(req.query.returnUrl)), 3000);
     } else {
-      res.status(400).send('Invalid return URL')
+      return res.status(400).send('Invalid return URL')
     }
   });
 

From 9281c6f7f2c5bcb3ddbbccd71b57af59624e7f01 Mon Sep 17 00:00:00 2001
From: Marios Kranitsas <marioskranitsas1999@gmail.com>
Date: Mon, 24 Oct 2022 16:31:29 +0300
Subject: [PATCH 3/3] Fix lint Erros

---
 src/server/index.js | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/server/index.js b/src/server/index.js
index 14603cc57f..86748ef60c 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -315,17 +315,16 @@ async function onExpressJsSetup(server) {
     const isValidUrl = (urlString) => {
       const urlPattern = new RegExp('^(https?:\\/\\/)?'// validate protocol
       + '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' // validate domain name
-      + '((\\d{1,3}\\.){3}\\d{1,3}))' // validate OR ip (v4) address
-      + '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*'+ // validate port and path
-      + '(\\?[;&a-z\\d%_.~+=-]*)?' // validate query string
-      + '(\\#[-a-z\\d_]*)?$','i'); // validate fragment locator
+      + '((\\d{1,3}\\.){3}\\d{1,3}))'// validate OR ip (v4) address
+      + '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*'// validate port and path
+      + '(\\?[;&a-z\\d%_.~+=-]*)?'// validate query string
+      + '(\\#[-a-z\\d_]*)?$', 'i'); // validate fragment locator
       return !!urlPattern.test(urlString);
-    }
-    if(isValidUrl(req.query.returnUrl)) {
+    };
+    if (isValidUrl(req.query.returnUrl)) {
       return setTimeout(() => res.send(mockDocuSignFactory(req.query.returnUrl)), 3000);
-    } else {
-      return res.status(400).send('Invalid return URL')
     }
+    return res.status(400).send('Invalid return URL');
   });
 
   /* TODO: