Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS vulnerability on Stripe payment page
  • Loading branch information
excid3 committed Apr 19, 2023
1 parent a1f60d1 commit 5d6283a
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Expand Up @@ -2,6 +2,9 @@

### Unreleased

* [SECURITY] Fix XSS vulnerability in back parameter on Stripe payment page
Previously, an attacker could inject Javascript or redirect the user to any URL by changing the `back` parameter in the URL.
The `back` parameter is now sanitized and restricted to relative paths.
* Remove unused attributes for `plan` and `quantity` in `app/models/pay/customer.rb`.
* Add explicit requires for `active_support` and `action_mailer` in `lib/pay.rb`. This should provide better errors for anyone not requiring all of Rails.

Expand Down
11 changes: 10 additions & 1 deletion app/controllers/pay/payments_controller.rb
Expand Up @@ -2,9 +2,18 @@ module Pay
class PaymentsController < ApplicationController
layout "pay/application"

before_action :set_redirect_to

def show
@redirect_to = params[:back].presence || root_path
@payment = Payment.from_id(params[:id])
end

private

# Ensure the back parameter is a valid path
# This safely handles XSS or external redirects
def set_redirect_to
@redirect_to = URI.parse(params[:back].to_s).path || root_path
end
end
end
2 changes: 1 addition & 1 deletion app/views/pay/payments/show.html.erb
Expand Up @@ -54,7 +54,7 @@
</div>
<% end %>
<%= link_to t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg" %>
<%= sanitize link_to(t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg") %>
</div>

<p class="text-center text-gray-500 text-sm">
Expand Down

0 comments on commit 5d6283a

Please sign in to comment.