-
-
Notifications
You must be signed in to change notification settings - Fork 17.4k
Expand file tree
/
Copy pathredirect.ts
More file actions
33 lines (29 loc) · 1.36 KB
/
redirect.ts
File metadata and controls
33 lines (29 loc) · 1.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/*
* Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import { type Request, type Response, type NextFunction } from 'express'
import * as challengeUtils from '../lib/challengeUtils'
import { challenges } from '../data/datacache'
import * as security from '../lib/insecurity'
import * as utils from '../lib/utils'
export function performRedirect () {
return ({ query }: Request, res: Response, next: NextFunction) => {
const toUrl: string = query.to as string
if (security.isRedirectAllowed(toUrl)) {
challengeUtils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
challengeUtils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
res.redirect(toUrl)
} else {
res.status(406)
next(new Error('Unrecognized target URL for redirect: ' + toUrl))
}
}
}
function isUnintendedRedirect (toUrl: string) {
let unintended = true
for (const allowedUrl of security.redirectAllowlist) {
unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
}
return unintended
}