Remove outdated strip-js dependency

.github/workflows/npm-publish.yml

@@ -28,7 +28,6 @@ jobs:
           node-version: 16
           registry-url: https://registry.npmjs.org/
       - run: yarn run ci
-      - run: yarn run build
-      - run: npm publish --tag latest
+      - run: yarn publish --tag $(node getPkgTag.js) --non-interactive
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}

getPkgTag.js

@@ -0,0 +1,3 @@
+process.stdout.write(
+  require("./package.json").version.includes("-") ? "next" : "latest"
+);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@twilio-labs/netlify-okta-auth",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Implement Okta-based access control for your static site hosted on Netlify",
   "keywords": [
     "okta",
@@ -43,7 +43,6 @@
     "@netlify/functions": "^0.10.0",
     "constant-case": "^3.0.4",
     "jwks-rsa": "^2.0.5",
-    "node-jsonwebtoken": "^0.0.1",
-    "strip-js": "^1.2.0"
+    "node-jsonwebtoken": "^0.0.1"
   }
 }

src/login.ts

@@ -4,8 +4,8 @@ import {
   getFallbackRawUrl,
   Options,
   loadOptionsFromEnvironment,
+  validateUrl,
 } from "./utils";
-import stripJs from "strip-js";
 
 export function getLoginHandler(options: Options = {}): Handler {
   // Primary lambda function handler
@@ -41,7 +41,7 @@ export function getLoginHandler(options: Options = {}): Handler {
         "?redirect_to=" + encodeURIComponent(authUrl.toString());
       targetRedirectUrl = prodLoginUrl.toString();
     } else if (event.queryStringParameters?.redirect_to) {
-      redirectToJs = stripJs(event.queryStringParameters.redirect_to);
+      redirectToJs = validateUrl(event.queryStringParameters.redirect_to, "/");
     }
 
     if (!targetRedirectUrl) {

src/tests/login.test.ts

@@ -106,6 +106,23 @@ describe("login", () => {
     });
   });
 
+  test("redirect to Okta with JavaScript injection attack", async () => {
+    const javaScriptInjection = `"; window.alert("hi"); //`;
+    redirectTest({
+      expectedRedirectCookie: "/%22;%20window.alert(%22hi%22);%20//",
+      event: {
+        ...loginEvent,
+        rawUrl:
+          loginEvent.rawUrl +
+          "?redirect_to=" +
+          encodeURIComponent(javaScriptInjection),
+        queryStringParameters: {
+          redirect_to: javaScriptInjection,
+        },
+      },
+    });
+  });
+
   test("redirect to Okta with redirect_to using fallback raw url", async () => {
     redirectTest({
       expectedRedirectCookie: "/docs/foo",

src/tests/utils.test.ts

@@ -7,6 +7,7 @@ import {
   loadOptionsFromEnvironment,
   jsonContentTypeHeader,
   Options,
+  validateUrl,
 } from "../utils";
 
 describe("getCookie", () => {
@@ -281,3 +282,25 @@ describe("loadOptions", () => {
     });
   });
 });
+
+describe("validateUrl", () => {
+  test("Valid, relative URL succeeds", () => {
+    const result = validateUrl("/docs/foo");
+    expect(result).toEqual("/docs/foo");
+  });
+
+  test("Fully qualified URL shouldn't pass", () => {
+    const result = validateUrl("https://www.twilio.com/docs/foo");
+    expect(result).toEqual("");
+  });
+
+  test("JavaScript URL shouldn't pass", () => {
+    const result = validateUrl("javascript:alert('hi')");
+    expect(result).toEqual("");
+  });
+
+  test("Injection attempt should get sanitized", () => {
+    const result = validateUrl(`"; window.alert("hi"); //`);
+    expect(result).toEqual("/%22;%20window.alert(%22hi%22);%20//");
+  });
+});

src/utils.ts

@@ -96,3 +96,26 @@ export function getFallbackRawUrl(
   const base = `${protocol}//${hostHeader ? hostHeader : "localhost"}`;
   return new URL(path, base);
 }
+
+export function validateUrl(
+  urlString: string,
+  fallbackUrl: string = ""
+): string {
+  const lowerUrl = urlString.toLowerCase();
+  if (
+    lowerUrl.includes("javascript:") ||
+    lowerUrl.includes("http:") ||
+    lowerUrl.includes("https:")
+  ) {
+    return fallbackUrl;
+  }
+
+  let urlObject: URL;
+  try {
+    urlObject = new URL(urlString, "http://example.com");
+  } catch (err) {
+    return fallbackUrl;
+  }
+
+  return urlObject.toString().substring(18);
+}