feat(security): add XSS and sqli validation for dashboard metadata fields (#9104)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>

crates/router/src/core/user/dashboard_metadata.rs

@@ -1,9 +1,6 @@
-use std::str::FromStr;
-
 use api_models::user::dashboard_metadata::{self as api, GetMultipleMetaDataPayload};
 #[cfg(feature = "email")]
 use common_enums::EntityType;
-use common_utils::pii;
 use diesel_models::{
     enums::DashboardMetadata as DBEnum, user::dashboard_metadata::DashboardMetadata,
 };
@@ -11,7 +8,7 @@ use error_stack::{report, ResultExt};
 use hyperswitch_interfaces::crm::CrmPayload;
 #[cfg(feature = "email")]
 use masking::ExposeInterface;
-use masking::PeekInterface;
+use masking::{PeekInterface, Secret};
 use router_env::logger;
 
 use crate::{
@@ -456,11 +453,6 @@ async fn insert_metadata(
             metadata
         }
         types::MetaData::ProdIntent(data) => {
-            if let Some(poc_email) = &data.poc_email {
-                let inner_poc_email = poc_email.peek().as_str();
-                pii::Email::from_str(inner_poc_email)
-                    .change_context(UserErrors::EmailParsingError)?;
-            }
             let mut metadata = utils::insert_merchant_scoped_metadata_to_db(
                 state,
                 user.user_id.clone(),
@@ -523,19 +515,23 @@ async fn insert_metadata(
             let hubspot_body = state
                 .crm_client
                 .make_body(CrmPayload {
-                    legal_business_name: data.legal_business_name,
-                    business_label: data.business_label,
+                    legal_business_name: data.legal_business_name.map(|s| s.into_inner()),
+                    business_label: data.business_label.map(|s| s.into_inner()),
                     business_location: data.business_location,
-                    display_name: data.display_name,
-                    poc_email: data.poc_email,
-                    business_type: data.business_type,
-                    business_identifier: data.business_identifier,
-                    business_website: data.business_website,
-                    poc_name: data.poc_name,
-                    poc_contact: data.poc_contact,
-                    comments: data.comments,
+                    display_name: data.display_name.map(|s| s.into_inner()),
+                    poc_email: data.poc_email.map(|s| Secret::new(s.peek().clone())),
+                    business_type: data.business_type.map(|s| s.into_inner()),
+                    business_identifier: data.business_identifier.map(|s| s.into_inner()),
+                    business_website: data.business_website.map(|s| s.into_inner()),
+                    poc_name: data
+                        .poc_name
+                        .map(|s| Secret::new(s.peek().clone().into_inner())),
+                    poc_contact: data
+                        .poc_contact
+                        .map(|s| Secret::new(s.peek().clone().into_inner())),
+                    comments: data.comments.map(|s| s.into_inner()),
                     is_completed: data.is_completed,
-                    business_country_name: data.business_country_name,
+                    business_country_name: data.business_country_name.map(|s| s.into_inner()),
                 })
                 .await;
             let base_url = user_utils::get_base_url(state);

crates/router/src/services/email/types.rs

@@ -3,7 +3,7 @@ use common_enums::{EntityType, MerchantProductType};
 use common_utils::{errors::CustomResult, pii, types::user::EmailThemeConfig};
 use error_stack::ResultExt;
 use external_services::email::{EmailContents, EmailData, EmailError};
-use masking::{ExposeInterface, Secret};
+use masking::{ExposeInterface, PeekInterface, Secret};
 
 use crate::{configs, consts, routes::SessionState};
 #[cfg(feature = "olap")]
@@ -567,14 +567,26 @@ impl BizEmailProd {
                 state.conf.email.prod_intent_recipient_email.clone(),
             )?,
             settings: state.conf.clone(),
-            user_name: data.poc_name.unwrap_or_default(),
-            poc_email: data.poc_email.unwrap_or_default(),
-            legal_business_name: data.legal_business_name.unwrap_or_default(),
+            user_name: data
+                .poc_name
+                .map(|s| Secret::new(s.peek().clone().into_inner()))
+                .unwrap_or_default(),
+            poc_email: data
+                .poc_email
+                .map(|s| Secret::new(s.peek().clone()))
+                .unwrap_or_default(),
+            legal_business_name: data
+                .legal_business_name
+                .map(|s| s.into_inner())
+                .unwrap_or_default(),
             business_location: data
                 .business_location
                 .unwrap_or(common_enums::CountryAlpha2::AD)
                 .to_string(),
-            business_website: data.business_website.unwrap_or_default(),
+            business_website: data
+                .business_website
+                .map(|s| s.into_inner())
+                .unwrap_or_default(),
             theme_id,
             theme_config,
             product_type: data.product_type,

crates/router/src/utils/user/dashboard_metadata.rs

@@ -287,8 +287,12 @@ pub fn is_prod_email_required(data: &ProdIntent, user_email: String) -> bool {
         data.poc_email.as_ref().map(|email| email.peek().as_str()),
         "juspay",
     );
-    let business_website_check = not_contains_string(data.business_website.as_deref(), "juspay")
-        && not_contains_string(data.business_website.as_deref(), "hyperswitch");
+    let business_website_check =
+        not_contains_string(data.business_website.as_ref().map(|s| s.as_str()), "juspay")
+            && not_contains_string(
+                data.business_website.as_ref().map(|s| s.as_str()),
+                "hyperswitch",
+            );
     let user_email_check = not_contains_string(Some(&user_email), "juspay");
 
     if (poc_email_check && business_website_check && user_email_check).not() {