fix: more secure handling of date in xva

vatesfr · Jan 29, 2024 · 01d16a9 · 01d16a9
1 parent cddb316
commit 01d16a9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/@xen-orchestra/xva-generator/_toOvaXml.mjs b/@xen-orchestra/xva-generator/_toOvaXml.mjs
@@ -4,9 +4,6 @@ function escape(string) {
   if (typeof string === 'number') {
     return string
   }
-  if (string.startsWith('<dateTime.iso8601>')) {
-    return string
-  }
   const map = {
     '>': '&gt;',
     '<': '&lt;',
@@ -21,12 +18,19 @@ function escape(string) {
   })
 }
 
+function formatDate(d) {
+  return d.toISOString().replaceAll('-', '').replace('.000Z', 'Z')
+}
+
 export default function toOvaxml(obj) {
   if (Array.isArray(obj)) {
     return `<value><array><data>${obj.map(val => toOvaxml(val)).join('')}</data></array></value>`
   }
 
   if (typeof obj === 'object') {
+    if (obj instanceof Date) {
+      return `<value><dateTime.iso8601>${escape(formatDate(obj))}</dateTime.iso8601></value>`
+    }
     return `<value><struct>${Object.entries(obj)
       .map(([key, value]) => `<member><name>${escape(key)}</name>${toOvaxml(value)}</member>`)
       .join('')}</struct></value>`

diff --git a/@xen-orchestra/xva-generator/templates/vm.mjs b/@xen-orchestra/xva-generator/templates/vm.mjs
@@ -1,9 +1,7 @@
-
 export const DEFAULT_VM = {
   class: 'VM',
   id: null,
-  snapshot:
-  {
+  snapshot: {
     actions_after_crash: 'restart',
     actions_after_reboot: 'restart',
     actions_after_shutdown: 'destroy',
@@ -85,7 +83,7 @@ export const DEFAULT_VM = {
     snapshot_info: {},
     snapshot_metadata: '',
     snapshot_of: 'OpaqueRef:NULL',
-    snapshot_time: '<dateTime.iso8601>19700101T00:00:00Z</dateTime.iso8601>',
+    snapshot_time: new Date(0),
     snapshots: [],
     start_delay: 0,
     // suspend_VDI:'OpaqueRef:NULL',
@@ -104,5 +102,5 @@ export const DEFAULT_VM = {
     VTPMs: [],
     VUSBs: [],
     xenstore_data: {},
-  }
-}
+  },
+}