This repository has been archived by the owner on Feb 10, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request #77 from craigspaeth/redirect-back
@craigspaeth (cc @dzucconi): Address open redirect issue
- Loading branch information
Showing
6 changed files
with
113 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# | ||
# Cleans out urls so they are safe to redirect to inside of an artsy.net app. | ||
# Code stolen from Force, thanks @dzucconi! | ||
# | ||
_ = require 'underscore' | ||
{ parse } = require 'url' | ||
|
||
redirectFallback = '/' | ||
whitelistHosts = [ | ||
'internal' | ||
'localhost' | ||
'artsy.net' | ||
] | ||
whitelistProtocols = [ | ||
'http:' | ||
'https:' | ||
null | ||
] | ||
|
||
hasStatus = (args) -> | ||
args.length is 2 and typeof args[0] is 'number' | ||
|
||
bareHost = (hostname) -> | ||
return 'internal' unless hostname? | ||
_.last(hostname.split('.'), subdomainOffset = 2).join '.' | ||
|
||
normalizeAddress = (address) -> | ||
address | ||
.replace /^http(s?):\/+/, 'http://' | ||
.replace /\s/g, '' | ||
|
||
safeAddress = (address) -> | ||
parsed = parse(normalizeAddress(address), false, true) | ||
_.contains(whitelistProtocols, parsed.protocol) and | ||
_.contains(whitelistHosts, bareHost(parsed.hostname)) | ||
|
||
module.exports = (address) -> | ||
if safeAddress(address) then address else redirectFallback |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
sinon = require 'sinon' | ||
{ sanitizeRedirect } = require '../../' | ||
|
||
describe 'sanitizeRedirect', -> | ||
it 'lets artsy.net through', -> | ||
sanitizeRedirect('http://artsy.net').should.equal 'http://artsy.net' | ||
|
||
it 'lets artsy.net without a protocol through', -> | ||
sanitizeRedirect('//artsy.net').should.equal '//artsy.net' | ||
|
||
it 'lets artsy.net subdomains through', -> | ||
sanitizeRedirect('http://2013.artsy.net').should.equal 'http://2013.artsy.net' | ||
|
||
it 'lets artsy.net subdomains without a protocol through', -> | ||
sanitizeRedirect('//2013.artsy.net').should.equal '//2013.artsy.net' | ||
|
||
it 'lets relative paths through', -> | ||
sanitizeRedirect('/path').should.equal '/path' | ||
|
||
it 'lets deeply nested artsy.net subdomains through', -> | ||
sanitizeRedirect('https://foo.2013.artsy.net').should.equal 'https://foo.2013.artsy.net' | ||
|
||
it 'lets artsy.net links through', -> | ||
sanitizeRedirect('https://artsy.net/about').should.equal 'https://artsy.net/about' | ||
|
||
it 'lets localhost through', -> | ||
sanitizeRedirect('http://localhost:3003/artwork/joe-piccillo-a-riposo').should.equal 'http://localhost:3003/artwork/joe-piccillo-a-riposo' | ||
|
||
it 'lets internal paths through', -> | ||
sanitizeRedirect('/log_in?redirect-to=/foo/bar').should.equal '/log_in?redirect-to=/foo/bar' | ||
|
||
it 'blocks data urls', -> | ||
sanitizeRedirect('data:text/html;base64,PHNjcmlwdD5hbGVydChsb2NhdGlvbi5oYXNoKTs8L3NjcmlwdD4=')[0].should.equal '/' | ||
|
||
it 'blocks external links not whitelisted; redirects to root', -> | ||
sanitizeRedirect('http://google.com').should.equal '/' | ||
|
||
it 'blocks external links that lack protocol; redirects to root', -> | ||
sanitizeRedirect('//google.com').should.equal '/' | ||
|
||
it 'blocks other protocols; redirects to root', -> | ||
sanitizeRedirect('ftp://google.com').should.equal '/' | ||
|
||
it 'blocks other protocols; redirects to root', -> | ||
sanitizeRedirect('javascript:alert(1);').should.equal '/' | ||
|
||
it 'blocks malformed URLs (1)', -> | ||
sanitizeRedirect('http:/google.com').should.equal '/' | ||
|
||
it 'blocks malformed URLs (2)', -> | ||
sanitizeRedirect('https:/google.com').should.equal '/' | ||
|
||
it 'blocks malformed URLs (3)', -> | ||
sanitizeRedirect('http:///google.com').should.equal '/' | ||
|
||
it 'strips out whitespace', -> | ||
sanitizeRedirect('''http://artsy.net | ||
attacker.com/''').should.equal '/' |