Return 500 if callback URL is external

2023-05-07 13:59:19 +02:00 · 2023-05-07 13:59:19 +02:00 · decca40c94
parent 6d1825bfc2
commit decca40c94
2 changed files with 16 additions and 0 deletions
--- a/pages/login.js
+++ b/pages/login.js
@ -6,6 +6,14 @@ import Login from '../components/login'
 export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
  const session = await getSession({ req })

+  const regex = /^https?:\/\/stacker.news\/?/
+  const external = !regex.test(decodeURIComponent(callbackUrl))
+  if (external) {
+    // This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
+    // TODO: Add redirect notice to warn users
+    return res.status(500).end()
+  }
+
  if (session && res && callbackUrl) {
    res.writeHead(302, {
      Location: callbackUrl
--- a/pages/signup.js
+++ b/pages/signup.js
@ -6,6 +6,14 @@ import Login from '../components/login'
 export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
  const session = await getSession({ req })

+  const regex = /^https?:\/\/stacker.news\/?/
+  const external = !regex.test(decodeURIComponent(callbackUrl))
+  if (external) {
+    // This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
+    // TODO: Add redirect notice to warn users
+    return res.status(500).end()
+  }
+
  if (session && res && callbackUrl) {
    res.writeHead(302, {
      Location: callbackUrl