fix: redirect vulnerability on error, sign in and totp page

stonith404 · Apr 5, 2024 · 384fd19 · 384fd19
1 parent 9d1a12b
commit 384fd19
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/frontend/src/components/auth/SignInForm.tsx b/frontend/src/components/auth/SignInForm.tsx
@@ -25,6 +25,7 @@ import useTranslate from "../../hooks/useTranslate.hook";
 import authService from "../../services/auth.service";
 import { getOAuthIcon, getOAuthUrl } from "../../utils/oauth.util";
 import toast from "../../utils/toast.util";
+import { safeRedirectPath } from "../../utils/router.util";
 
 const useStyles = createStyles((theme) => ({
   or: {
@@ -98,7 +99,7 @@ const SignInForm = ({ redirectPath }: { redirectPath: string }) => {
           );
         } else {
           await refreshUser();
-          router.replace(redirectPath);
+          router.replace(safeRedirectPath(redirectPath));
         }
       })
       .catch(toast.axiosError);

diff --git a/frontend/src/components/auth/TotpForm.tsx b/frontend/src/components/auth/TotpForm.tsx
@@ -6,15 +6,16 @@ import {
   PinInput,
   Title,
 } from "@mantine/core";
+import { useForm, yupResolver } from "@mantine/form";
+import { useRouter } from "next/router";
+import { useState } from "react";
 import { FormattedMessage } from "react-intl";
 import * as yup from "yup";
 import useTranslate from "../../hooks/useTranslate.hook";
-import { useForm, yupResolver } from "@mantine/form";
-import { useState } from "react";
+import useUser from "../../hooks/user.hook";
 import authService from "../../services/auth.service";
+import { safeRedirectPath } from "../../utils/router.util";
 import toast from "../../utils/toast.util";
-import { useRouter } from "next/router";
-import useUser from "../../hooks/user.hook";
 
 function TotpForm({ redirectPath }: { redirectPath: string }) {
   const t = useTranslate();
@@ -46,7 +47,7 @@ function TotpForm({ redirectPath }: { redirectPath: string }) {
         router.query.loginToken as string,
       );
       await refreshUser();
-      await router.replace(redirectPath);
+      await router.replace(safeRedirectPath(redirectPath));
     } catch (e) {
       toast.axiosError(e);
       form.setFieldError("code", "error");

diff --git a/frontend/src/pages/error.tsx b/frontend/src/pages/error.tsx
@@ -4,6 +4,7 @@ import Meta from "../components/Meta";
 import useTranslate from "../hooks/useTranslate.hook";
 import { useRouter } from "next/router";
 import { FormattedMessage } from "react-intl";
+import { safeRedirectPath } from "../utils/router.util";
 
 const useStyle = createStyles({
   title: {
@@ -39,7 +40,9 @@ export default function Error() {
         </Text>
         <Button
           mt="xl"
-          onClick={() => router.push((router.query.redirect as string) || "/")}
+          onClick={() =>
+            router.push(safeRedirectPath(router.query.redirect as string))
+          }
         >
           {t("error.button.back")}
         </Button>

diff --git a/frontend/src/utils/router.util.ts b/frontend/src/utils/router.util.ts
@@ -0,0 +1,7 @@
+export function safeRedirectPath(path: string | undefined) {
+  if (!path) return "/";
+
+  if (!path.startsWith("/")) return `/${path}`;
+
+  return path;
+}