-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add check for at signs in redirect url #3510
Conversation
NV-2228 Open redirect vulnerability
DescriptionAn open redirect vulnerability exists in `/v1/auth/github/callback`. The vulnerable code: `https://github.com/novuhq/novu/blob/5f94d65b1ab8d618aed9768a6e2877a1614e10d8/apps/api/src/app/auth/auth.controller.ts#L94-L96`. Steps to reproducePrerequisite: Enable Sign In with GitHub functionality. 0. [Attacker] Send the following URL to the victim: `https://<novu_api>/v1/auth/github?source=web&redirectUrl=http://localhost:pass<attacker_server>/`
|
@@ -91,7 +91,7 @@ export class AuthController { | |||
* Make sure we only allow localhost redirects for CLI use and our own success route | |||
* https://github.com/novuhq/novu/security/code-scanning/3 | |||
*/ | |||
if (redirectUrl && redirectUrl.startsWith('http://localhost:')) { | |||
if (redirectUrl && redirectUrl.startsWith('http://localhost:') && !redirectUrl.includes('@')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we missing the check for the question mark? Based on the PR title.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Me and Dima discussed and said it was not needed after I had created the pr :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it was not needed in the end :) I see David updated the title
Fixing the redirect vulnerability in github oauth endpoint.