From 17f7189dc4cf5da3917bf7d7a842208180a3e604 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Fri, 24 May 2024 14:04:33 +0530 Subject: [PATCH] WEBUI-1511: Own Code Static Scan : Open Redirect --- elements/routing.js | 26 +++++++++++++++++-- .../resources/OSGI-INF/web-ui-properties.xml | 4 +++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/elements/routing.js b/elements/routing.js index 3499e5c2eb..f28c1e5003 100644 --- a/elements/routing.js +++ b/elements/routing.js @@ -27,6 +27,24 @@ function scrollToTop(ctx, next) { next(); } +function getTrustedDomains(path) { + const trustedDomains = Nuxeo && Nuxeo.UI && Nuxeo.UI.config && Nuxeo.UI.config.trustedDomains; + const pathUrl = new URL(path); + const { hostname } = pathUrl; + const queryParams = pathUrl.search.split('?')[1]; + const encodepath = queryParams ? `${pathUrl.origin}?${encodeURIComponent(queryParams)}` : path; + if (!trustedDomains) return { encodepath, isvalidUrl: true }; + const trustedDomainList = trustedDomains.split(','); + const isvalidUrl = trustedDomainList.some((url) => { + const isFullpath = /^http(s)?:\/\//.test(url); + const parsedURL = isFullpath ? url : `https://${url}`; + const { hostname: currentUrlhost } = new URL(parsedURL); + return currentUrlhost.toLowerCase() === hostname.toLowerCase(); + }); + + return { encodepath, isvalidUrl }; +} + function _routeAdmin(selectedAdminTab, errorPath, routeData) { const hasPermission = app.currentUser.isAdministrator || app.currentUser.extendedGroups.find((grp) => grp.name === 'powerusers'); @@ -37,7 +55,6 @@ function _routeAdmin(selectedAdminTab, errorPath, routeData) { app.showError(404, '', errorPath); } } - // Routes page('*', scrollToTop, (ctx, next) => { next(); @@ -197,7 +214,12 @@ app.router = { } const isFullpath = /^http(s)?:\/\//.test(path); if (isFullpath) { - window.location = path; + const { encodepath, isvalidUrl } = getTrustedDomains(path); + if (isvalidUrl) { + const link = document.createElement('a'); + link.setAttribute('href', encodepath); + link.click(); + } } else { page(path); } diff --git a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml index 2bfce8be48..b7dfd741f3 100644 --- a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml +++ b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml @@ -50,5 +50,9 @@ + + + ${nuxeo.trustedDomains} +