fix(security): Prevent redirect to a disguised domain (#498)

Improves #496, as suggested on this report: https://huntr.dev/bounties/6b8acb0c-8b5d-461e-9b46-b1bfb5a8ccdf/
openwhyd · Dec 10, 2021 · 3870793 · 3870793
1 parent 8fa2e93
commit 3870793
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/app/models/logging.js b/app/models/logging.js
@@ -262,7 +262,8 @@ http.ServerResponse.prototype.redirect = function (url) {
 
 http.ServerResponse.prototype.safeRedirect = function (url) {
   const fullURL = new URL(url, config.urlPrefix);
-  if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+  if (`${fullURL.protocol}//${fullURL.host}` !== config.urlPrefix)
+    return this.forbidden();
   this.redirect(url);
 };
 

diff --git a/test/api/security.api.tests.js b/test/api/security.api.tests.js
@@ -43,5 +43,14 @@ describe('security', () => {
       });
       assert.equal(response.statusCode, 403); // forbidden
     });
+
+    it('should NOT allow redirect to a disguised domain', async () => {
+      const { jar } = await loginAs(ADMIN_USER);
+      const { response } = await postRaw(jar, `/consent`, {
+        lang: 'en',
+        redirect: `${URL_PREFIX}@google.com`,
+      });
+      assert.equal(response.statusCode, 403); // forbidden
+    });
   });
 });