From 839578c45a8ac42fbc1d72105f97eab77dd3eb8a Mon Sep 17 00:00:00 2001
From: Jonathan Ginsburg <jon@than.ml>
Date: Mon, 31 Jan 2022 19:41:54 -0600
Subject: [PATCH] fix(security): remove XSS vulnerability in `returnUrl` query
 param

The `returnUrl` query parameter can be used to execute malicious code. For
example, visiting
`http://localhost:9876/?return_url=javascript:alert(document.domain)` will
display an alert.
---
 client/karma.js | 3 +++
 static/karma.js | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/client/karma.js b/client/karma.js
index 64264d1d0..b5a6f76b4 100644
--- a/client/karma.js
+++ b/client/karma.js
@@ -239,6 +239,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }
diff --git a/static/karma.js b/static/karma.js
index b88001881..7d7e49a97 100644
--- a/static/karma.js
+++ b/static/karma.js
@@ -249,6 +249,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }