Skip to content
Permalink
Browse files Browse the repository at this point in the history
Framework fix for open redirect vulnerability
  • Loading branch information
Manny committed Mar 23, 2021
1 parent ec0db45 commit fad8fba
Show file tree
Hide file tree
Showing 4 changed files with 91 additions and 28 deletions.
39 changes: 39 additions & 0 deletions core/Web.js
Expand Up @@ -122,6 +122,9 @@ class Web {
}

this.app = express();

fixOpenRedirect(this);

this.events = {};
this.modelCache = new Object();
this.plugins = [];
Expand Down Expand Up @@ -763,6 +766,42 @@ function defaultRedirectToHttpsMiddleware(req, res) {
res.end();
}

function fixOpenRedirect(web) {
// Fix for open redirect security
let redirectSafe = web.app.response.redirect;
web.app.response.redirectSafe = function(url) {
return redirectSafe.call(this, url);
}

var addHostOnceFlag = true;

web.app.response.redirect = function(url) {

if (url.indexOf('://') != -1) {

let req = this.req;

if (addHostOnceFlag) {
var host = req.protocol + '://' + req.headers.host;
web.conf.allowedRedirectHosts.push(host);
addHostOnceFlag = false;
console.log("Added host once: " + host);
}

const found = web.conf.allowedRedirectHosts.find(el => url.indexOf(el) == 0);

if (!found) {
var ip = web.utils.getClientIp(req);

console.warn("Open redirect was triggered: ", req.method, req.user ? req.user.email : "unsigned user", ip, "accessed", req.url, req.headers['user-agent']);
throw new Error("Action not allowed.");
}

}
return redirectSafe.call(this, url);
}
}


function startServer(web, cb) {

Expand Down
1 change: 1 addition & 0 deletions core/conf/conf-default.js
Expand Up @@ -11,6 +11,7 @@ module.exports = function(webSel) {

dataDir: 'data',
tmpDir: 'data/tmp',
allowedRedirectHosts: [],

extendWeb: {
enabled: true,
Expand Down
75 changes: 49 additions & 26 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
@@ -1,6 +1,6 @@
{
"name": "oils",
"version": "7.8.6",
"version": "8.0.0",
"description": "A slightly opinionated web framework built on top of Express 4.",
"keywords": [
"OilsJs",
Expand Down Expand Up @@ -41,7 +41,7 @@
"method-override": "~3.0.0",
"moment": "~2.24.0",
"moment-timezone": "^0.5.27",
"mongoose": "^5.10.6",
"mongoose": "^5.12.2",
"nanoid": "^3.1.20",
"nomnom": "1.8.x",
"nunjucks": "^3.2.1",
Expand Down

0 comments on commit fad8fba

Please sign in to comment.