Skip to content

fix(clerk-js): Directory traversal relative URL detection#4483

Merged
nikosdouvlis merged 7 commits intomainfrom
brk.fix/redirect-validation
Nov 6, 2024
Merged

fix(clerk-js): Directory traversal relative URL detection#4483
nikosdouvlis merged 7 commits intomainfrom
brk.fix/redirect-validation

Conversation

@brkalow
Copy link
Copy Markdown
Member

@brkalow brkalow commented Nov 4, 2024

Description

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Nov 4, 2024
edited
Loading

🦋 Changeset detected

Latest commit: cb9f3a1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@nikosdouvlis nikosdouvlis marked this pull request as ready for review November 5, 2024 19:49
brkalow
brkalow commented Nov 6, 2024
View reviewed changes
Comment thread packages/clerk-js/src/utils/url.ts
(allowedRedirectOrigins: Array<string | RegExp> | undefined) => (_url: string) => {
if (!allowedRedirectOrigins) {
return true;
export const isAllowedRedirect =
Copy link
Copy Markdown
Member Author

@brkalow brkalow Nov 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function now deals with full URLs, instead of potentially relative URLs as well. This makes our checks more consistent, and removes situations where we treat a relative URL as okay, make it absolute, and then it ends up being problematic.

brkalow
brkalow commented Nov 6, 2024
View reviewed changes
Comment thread packages/clerk-js/src/utils/__tests__/url.test.ts
});

describe('isRelativeUrl(url,base)', () => {
describe('isProblematicUrl(url)', () => {
Copy link
Copy Markdown
Member Author

@brkalow brkalow Nov 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could potentially do with more test cases here, but with the shift to checking against full URLs we get more guarantees from the existing origin check.

@nikosdouvlis nikosdouvlis force-pushed the brk.fix/redirect-validation branch from 9876c25 to cb9f3a1 Compare November 6, 2024 05:24
@nikosdouvlis nikosdouvlis merged commit 9557b55 into main Nov 6, 2024
@nikosdouvlis nikosdouvlis deleted the brk.fix/redirect-validation branch November 6, 2024 05:25
@clerk-cookie clerk-cookie mentioned this pull request Nov 5, 2024
Merged
@nikosdouvlis nikosdouvlis mentioned this pull request Nov 6, 2024
Merged
9 tasks
wobsoriano pushed a commit that referenced this pull request Feb 8, 2025
@brkalow @nikosdouvlis @wobsoriano
fix(clerk-js): Directory traversal relative URL detection (#4483)
94f6e97 
Co-authored-by: Nikos Douvlis <nikosdouvlis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

Assignees

No one assigned

Labels

clerk-js

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brkalow @nikosdouvlis @clerk-cookie