ekzyis/stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

slight mods to open redirect fix

Browse Source
This commit is contained in:
keyan 2023-05-07 08:33:51 -05:00
parent a396933be2
commit 8830b8ee9c
3 changed files with 10 additions and 8 deletions

4
lib/url.js

@ -5,6 +5,10 @@ export function ensureProtocol (value) {
return value return value
} }
export function isExternal (url) {
return !url.startsWith(process.env.PUBLIC_URL) && !url.startsWith('/')
}
export function removeTracking (value) { export function removeTracking (value) {
const exprs = [ const exprs = [
// twitter URLs // twitter URLs

7
pages/login.js

@ -2,16 +2,15 @@ import { providers, getSession } from 'next-auth/client'
import Link from 'next/link' import Link from 'next/link'
import LayoutStatic from '../components/layout-static' import LayoutStatic from '../components/layout-static'
import Login from '../components/login' import Login from '../components/login'
import { isExternal } from '../lib/url'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) { export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req }) const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\// const external = isExternal(decodeURIComponent(callbackUrl))
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) { if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264 // This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
// TODO: Add redirect notice to warn users callbackUrl = '/'
return res.status(500).end()
} }
if (session && res && callbackUrl) { if (session && res && callbackUrl) {

7
pages/signup.js

@ -2,16 +2,15 @@ import { providers, getSession } from 'next-auth/client'
import Link from 'next/link' import Link from 'next/link'
import LayoutStatic from '../components/layout-static' import LayoutStatic from '../components/layout-static'
import Login from '../components/login' import Login from '../components/login'
import { isExternal } from '../lib/url'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) { export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req }) const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\// const external = isExternal(decodeURIComponent(callbackUrl))
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) { if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264 // This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
// TODO: Add redirect notice to warn users callbackUrl = '/'
return res.status(500).end()
} }
if (session && res && callbackUrl) { if (session && res && callbackUrl) {