Skip to content

Commit 3870793

Browse files
authored
fix(security): Prevent redirect to a disguised domain (#498)
Improves #496, as suggested on this report: https://huntr.dev/bounties/6b8acb0c-8b5d-461e-9b46-b1bfb5a8ccdf/
1 parent 8fa2e93 commit 3870793

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

Diff for: app/models/logging.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -262,7 +262,8 @@ http.ServerResponse.prototype.redirect = function (url) {
262262

263263
http.ServerResponse.prototype.safeRedirect = function (url) {
264264
const fullURL = new URL(url, config.urlPrefix);
265-
if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
265+
if (`${fullURL.protocol}//${fullURL.host}` !== config.urlPrefix)
266+
return this.forbidden();
266267
this.redirect(url);
267268
};
268269

Diff for: test/api/security.api.tests.js

+9
Original file line numberDiff line numberDiff line change
@@ -43,5 +43,14 @@ describe('security', () => {
4343
});
4444
assert.equal(response.statusCode, 403); // forbidden
4545
});
46+
47+
it('should NOT allow redirect to a disguised domain', async () => {
48+
const { jar } = await loginAs(ADMIN_USER);
49+
const { response } = await postRaw(jar, `/consent`, {
50+
lang: 'en',
51+
redirect: `${URL_PREFIX}@google.com`,
52+
});
53+
assert.equal(response.statusCode, 403); // forbidden
54+
});
4655
});
4756
});

0 commit comments

Comments
 (0)