Merge pull request #959 from weseek/support/open-redirect

prevention from open redirect

src/server/routes/login-passport.js

@@ -4,6 +4,7 @@ module.exports = function(crowi, app) {
   const debug = require('debug')('growi:routes:login-passport');
   const logger = require('@alias/logger')('growi:routes:login-passport');
   const passport = require('passport');
+  const { URL } = require('url');
   const ExternalAccount = crowi.model('ExternalAccount');
   const passportService = crowi.passportService;
 
@@ -24,7 +25,19 @@ module.exports = function(crowi, app) {
     const jumpTo = req.session.jumpTo;
     if (jumpTo) {
       req.session.jumpTo = null;
-      return res.redirect(jumpTo);
+
+      // prevention from open redirect
+      try {
+        const redirectUrl = new URL(jumpTo, `${req.protocol}://${req.get('host')}`);
+        if (redirectUrl.hostname === req.hostname) {
+          return res.redirect(redirectUrl);
+        }
+        logger.warn('Requested redirect URL is invalid, redirect to root page');
+      }
+      catch (err) {
+        logger.warn('Requested redirect URL is invalid, redirect to root page', err);
+        return res.redirect('/');
+      }
     }
 
     return res.redirect('/');

src/server/routes/login.js

@@ -37,7 +37,19 @@ module.exports = function(crowi, app) {
     const jumpTo = req.session.jumpTo;
     if (jumpTo) {
       req.session.jumpTo = null;
-      return res.redirect(jumpTo);
+
+      // prevention from open redirect
+      try {
+        const redirectUrl = new URL(jumpTo, `${req.protocol}://${req.get('host')}`);
+        if (redirectUrl.hostname === req.hostname) {
+          return res.redirect(redirectUrl);
+        }
+        logger.warn('Requested redirect URL is invalid, redirect to root page');
+      }
+      catch (err) {
+        logger.warn('Requested redirect URL is invalid, redirect to root page', err);
+        return res.redirect('/');
+      }
     }
 
     return res.redirect('/');