Framework fix for open redirect vulnerability

Manny · Manny · commit fad8fbae824a · 2021-03-23T20:43:39.000+08:00
diff --git a/core/Web.js b/core/Web.js
@@ -122,6 +122,9 @@ class Web {
     }
 
     this.app = express();
+
+    fixOpenRedirect(this);
+
     this.events = {};
     this.modelCache = new Object();
     this.plugins = [];
@@ -763,6 +766,42 @@ function defaultRedirectToHttpsMiddleware(req, res) {
   res.end();
 }
 
+function fixOpenRedirect(web) {
+  // Fix for open redirect security
+  let redirectSafe = web.app.response.redirect;
+  web.app.response.redirectSafe = function(url) {
+    return redirectSafe.call(this, url);
+  }
+
+  var addHostOnceFlag = true;
+
+  web.app.response.redirect = function(url) {
+  
+    if (url.indexOf('://') != -1) {
+
+      let req = this.req;
+
+      if (addHostOnceFlag) {
+        var host = req.protocol + '://' + req.headers.host;
+        web.conf.allowedRedirectHosts.push(host);
+        addHostOnceFlag = false;
+        console.log("Added host once: " + host);
+      }
+
+      const found = web.conf.allowedRedirectHosts.find(el => url.indexOf(el) == 0);
+
+      if (!found) {
+        var ip = web.utils.getClientIp(req);
+
+        console.warn("Open redirect was triggered: ", req.method, req.user ? req.user.email : "unsigned user", ip, "accessed", req.url, req.headers['user-agent']);
+        throw new Error("Action not allowed.");
+      }
+
+    }
+    return redirectSafe.call(this, url);
+  }
+}
+
 
 function startServer(web, cb) {
 
diff --git a/core/conf/conf-default.js b/core/conf/conf-default.js
@@ -11,6 +11,7 @@ module.exports = function(webSel) {
 
     dataDir: 'data',
     tmpDir: 'data/tmp',
+    allowedRedirectHosts: [],
 
     extendWeb: {
       enabled: true,
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "oils",
-  "version": "7.8.6",
+  "version": "8.0.0",
   "description": "A slightly opinionated web framework built on top of Express 4.",
   "keywords": [
     "OilsJs",
@@ -41,7 +41,7 @@
     "method-override": "~3.0.0",
     "moment": "~2.24.0",
     "moment-timezone": "^0.5.27",
-    "mongoose": "^5.10.6",
+    "mongoose": "^5.12.2",
     "nanoid": "^3.1.20",
     "nomnom": "1.8.x",
     "nunjucks": "^3.2.1",
