Open Redirect Vulnerability Mitigation - CWE 601 #1963
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refactored Open Redirect vulnerability to allow for user configuration as requested.
Prior it was observed that the req.url could get parsed to navigate a user to an external website, example: https://docs.requarks.io////google.com// would navigate directly to google.com. This behavior was observed in the req.url variable. This PR allows a configurable middleware to strip all repeating / characters from the user controlled url. More about the vulnerability can be found at
https://cwe.mitre.org/data/definitions/601.html
In addition, it was observed that ./server/middlewares/secruity.js if statements were not referencing global variables correctly as per the ./server/app/data.yml file structure. As such they were effectively being ignored as confirmed by console.log statements. The data.yml format required the variables to be referenced as WIKI.config.security.* to be effective. This PR simultaneously fixes that issue.