Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

feat(config): new config redirectAllowList #1050

Merged
merged 13 commits into from
Aug 2, 2023
Merged

feat(config): new config redirectAllowList #1050

merged 13 commits into from
Aug 2, 2023

Conversation

Matthew-Mallimo
Copy link
Member

Description

This adds a new appConfig option to configure an allow list for redirects.

Motivation and Context

We dont want to redirect anyone to malicious URLs in the case of user-inputed redirects.

How Has This Been Tested?

Unit and locally

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (adding or updating documentation)
  • Dependency update
  • Security update

Checklist:

  • My change requires a change to the documentation and I have updated the documentation accordingly.
  • These changes should be applied to a maintenance branch.
  • This change requires cross browser checks.
  • Performance tests should be ran against the server prior to merging.
  • This change impacts caching for client browsers.
  • This change impacts HTTP headers.
  • This change adds additional environment variable requirements for One App users.
  • I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using One App?

Allows further security enhancements through a customizable allow list.

@Matthew-Mallimo Matthew-Mallimo requested review from a team as code owners July 10, 2023 18:14
@github-actions
Copy link
Contributor

github-actions bot commented Jul 10, 2023
edited
Loading

Size Change: 0 B

Total Size: 689 kB

ℹ️ View Unchanged
Filename Size
./build/app/app.js 164 kB
./build/app/app~vendors.js 389 kB
./build/app/runtime.js 7.07 kB
./build/app/service-worker-client.js 7.26 kB
./build/app/vendors.js 122 kB

compressed-size-action

@smackfu smackfu requested a review from a team July 11, 2023 21:03
dogpatch626
dogpatch626 previously approved these changes Jul 13, 2023
View reviewed changes
10xLaCroixDrinker
10xLaCroixDrinker suggested changes Jul 13, 2023
View reviewed changes
Copy link
Member

@10xLaCroixDrinker 10xLaCroixDrinker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feedback I left on #1051 applies here as well

bishnubista
bishnubista previously approved these changes Jul 17, 2023
View reviewed changes
JAdshead
JAdshead suggested changes Aug 1, 2023
View reviewed changes
__tests__/server/utils/onModuleLoad.spec.jsx Outdated Show resolved Hide resolved
__tests__/server/utils/onModuleLoad.spec.jsx Outdated Show resolved Hide resolved
src/server/plugins/reactHtml/createRequestHtmlFragment.jsx
Comment on lines +120 to +123
if (!isRedirectUrlAllowed(redirect.url)) {
renderStaticErrorPage(request, reply);
throw new Error(`'${redirect.url}' is not an allowed redirect URL`);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think if an error is thrown it should always result in renderStaticErrorPage if not the case thats probably how it should work

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Throwing an error does not render the error page for us, verified this locally.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after looking into this further, this is the expected pattern.

src/server/utils/onModuleLoad.js Show resolved Hide resolved
src/server/utils/redirectAllowList.js Outdated Show resolved Hide resolved
JAdshead
JAdshead reviewed Aug 1, 2023
View reviewed changes
src/server/utils/onModuleLoad.js
module,
moduleName,
}) {
export function setRootModuleConfigurations(module, moduleName) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change should not be necessary with https://github.com/americanexpress/one-app/pull/984/files#diff-c2c760b479b24ea34c7eae704bba77b771c6ce7b48f7b4e6c8b386140de2ca9b

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But that is a draft PR thats expected to go in after this PR

@Matthew-Mallimo Matthew-Mallimo merged commit d3a94e2 into main Aug 2, 2023
7 checks passed
@Matthew-Mallimo Matthew-Mallimo deleted the feat/redirectAllowList branch August 2, 2023 18:23
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@code-forger code-forger code-forger approved these changes

@JAdshead JAdshead JAdshead approved these changes

@10xLaCroixDrinker 10xLaCroixDrinker 10xLaCroixDrinker left review comments

@bishnubista bishnubista bishnubista left review comments

@smackfu smackfu Awaiting requested review from smackfu

@dogpatch626 dogpatch626 Awaiting requested review from dogpatch626

Assignees
No one assigned
Labels
Feature one-app-team-review-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Matthew-Mallimo @10xLaCroixDrinker @smackfu @code-forger @JAdshead @dogpatch626 @bishnubista