-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: Joi.string().uri({ allowRelativeOnly }) #1015
Comments
This shouldn't be a major change, happy to take a PR about it. Prefer shorter |
Fixed by #1034. |
I warn you that My approach: const schema = Joi.object({
redirect_to_relative: Joi.string().uri({
relativeOnly: true
}).regex(/^\/\//, { invert: true })
}); |
Technically it is a relative URI, relative to the root. It is following the RFC if I remember well. |
Yes, it conforms to the RFC, but it doesn't solve the redirection problem stated in the first post by @davidjamesstone, because it is still open to redirection attacks. Because hash fragment is not passed to the server it must be percent-encoded into query string parameter (e.g. |
Or you may come up with a more flexible configuration like:
|
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
Similar to the
allowRelative
option forJoi.string().uri()
but to mandate that the uri is relative.Why?
A common use case for passing urls around in query string is to perform some subsequent redirection e.g.
http:\\www.example.com\do-something?returnUrl=\summary
It's very likely that you would only ever want the returnUrl to be relative to the current domain. Doing so can also prevent Open Redirection Attacks.
We are currently using the is-relative-url package to ensure the returnUrl is local.
Alternatively, Microsoft's C# algorithm looks like this (here's a blog which includes a coffeescript implementation of the same):
This could be useful to base something off (removing the tilde ~ logic as it is only relevent to ASP).
It would be nice if we could have Joi do this for us. Thoughts?
The text was updated successfully, but these errors were encountered: