Home Explore Help
Sign In
wiki
/
weseek__growi
mirror of https://github.com/weseek/growi
2
0
Fork 0
Files Issues 0 Wiki
Tree: db919ee130
Branches Tags
weseek__growi
/
src
/
server
/
middleware
/
safe-redirect.js

safe-redirect.js 2.0 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. const loggerFactory = require('@alias/logger');
    2. 

  2. 

  3. const logger = loggerFactory('growi:middleware:safe-redirect');
    4. 

  4. 

  5. 

  6. /**
    7. 

  7.  * Check whether the redirect url host is in specified whitelist
    8. 

  8.  * @param {Array<string>} whitelistOfHosts
    9. 

  9.  * @param {string} redirectToFqdn
    10. 

  10.  */
    11. 

  11. function isInWhitelist(whitelistOfHosts, redirectToFqdn) {
    12. 

  12.   if (whitelistOfHosts == null || whitelistOfHosts.length === 0) {
    13. 

  13.     return false;
    14. 

  14.   }
    15. 

  15. 

  16.   const redirectUrl = new URL(redirectToFqdn);
    17. 

  17.   return whitelistOfHosts.includes(redirectUrl.hostname) || whitelistOfHosts.includes(redirectUrl.host);
    18. 

  18. }
    19. 

  19. 

  20. /**
    21. 

  21.  * Redirect with prevention from Open Redirect
    22. 

  22.  *
    23. 

  23.  * Usage: app.use(require('middleware/safe-redirect'))
    24. 

  24.  */
    25. 

  25. module.exports = (whitelistOfHosts) => {
    26. 

  26. 

  27.   return function(req, res, next) {
    28. 

  28. 

  29.     // extend res object
    30. 

  30.     res.safeRedirect = function(redirectTo) {
    31. 

  31.       if (redirectTo == null) {
    32. 

  32.         return res.redirect('/');
    33. 

  33.       }
    34. 

  34. 

  35.       try {
    36. 

  36.         // check inner redirect
    37. 

  37.         const redirectUrl = new URL(redirectTo, `${req.protocol}://${req.get('host')}`);
    38. 

  38.         if (redirectUrl.hostname === req.hostname) {
    39. 

  39.           logger.debug(`Requested redirect URL (${redirectTo}) is local.`);
    40. 

  40.           return res.redirect(redirectUrl.href);
    41. 

  41.         }
    42. 

  42.         logger.debug(`Requested redirect URL (${redirectTo}) is NOT local.`);
    43. 

  43. 

  44.         // check whitelisted redirect
    45. 

  45.         const isWhitelisted = isInWhitelist(whitelistOfHosts, redirectTo);
    46. 

  46.         if (isWhitelisted) {
    47. 

  47.           logger.debug(`Requested redirect URL (${redirectTo}) is in whitelist.`, `whitelist=${whitelistOfHosts}`);
    48. 

  48.           return res.redirect(redirectTo);
    49. 

  49.         }
    50. 

  50.         logger.debug(`Requested redirect URL (${redirectTo}) is NOT in whitelist.`, `whitelist=${whitelistOfHosts}`);
    51. 

  51.       }
    52. 

  52.       catch (err) {
    53. 

  53.         logger.warn(`Requested redirect URL (${redirectTo}) is invalid.`, err);
    54. 

  54.       }
    55. 

  55. 

  56.       logger.warn(`Requested redirect URL (${redirectTo}) is UNSAFE, redirecting to root page.`);
    57. 

  57.       return res.redirect('/');
    58. 

  58.     };
    59. 

  59. 

  60.     next();
    61. 

  61. 

  62.   };
    63. 

  63. 

  64. };
    65.