ekzyis/stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Return 500 if callback URL is external

Browse Source
This commit is contained in:
ekzyis 2023-05-07 13:59:19 +02:00 committed by Keyan
parent 6d1825bfc2
commit decca40c94
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pages/login.js
View File

@ -6,6 +6,14 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) { export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req }) const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
// TODO: Add redirect notice to warn users
return res.status(500).end()
}
if (session && res && callbackUrl) { if (session && res && callbackUrl) {
res.writeHead(302, { res.writeHead(302, {
Location: callbackUrl Location: callbackUrl

8
pages/signup.js
View File

@ -6,6 +6,14 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) { export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req }) const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264
// TODO: Add redirect notice to warn users
return res.status(500).end()
}
if (session && res && callbackUrl) { if (session && res && callbackUrl) {
res.writeHead(302, { res.writeHead(302, {
Location: callbackUrl Location: callbackUrl