From 3beec33efe35ca59f1b71d39d00bd6a4ee64a0f9 Mon Sep 17 00:00:00 2001 From: kilemensi Date: Wed, 4 Oct 2023 09:50:38 +0300 Subject: [PATCH] Fix security issue --- .../src/pages/api/v1/draft/disable-draft.js | 5 +++++ .../src/pages/api/v1/draft/index.page.js | 12 ++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 apps/charterafrica/src/pages/api/v1/draft/disable-draft.js diff --git a/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js b/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js new file mode 100644 index 000000000..39febffb5 --- /dev/null +++ b/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js @@ -0,0 +1,5 @@ +// By default, the Draft Mode session ends when the browser is closed. +// This method clears it manually / on demand. +export default function handler(req, res) { + res.setDraftMode({ enable: false }); +} diff --git a/apps/charterafrica/src/pages/api/v1/draft/index.page.js b/apps/charterafrica/src/pages/api/v1/draft/index.page.js index 33bdc28f7..1c8385e03 100644 --- a/apps/charterafrica/src/pages/api/v1/draft/index.page.js +++ b/apps/charterafrica/src/pages/api/v1/draft/index.page.js @@ -3,10 +3,18 @@ export default async function handler(req, res) { // make sure the user requesting to preview, is logged into Payload // See "Tip" on: https://payloadcms.com/docs/authentication/overview#token-based-auth if (!req.user) { - return res.status(500).json({ message: "UNAUTHORIZED_USER" }); + return res.status(401).json({ message: "UNAUTHORIZED_USER" }); } const { slug } = req.query; res.setDraftMode({ enable: true }); - return res.redirect(slug); + // Guard against open redirect vulnerabilities + // Since slug will be a path, redirect to pathname instead of original slug + // just in case + const appUrl = new URL(process.env.NEXT_PUBLIC_APP_URL); + const requestedUrl = new URL(slug, appUrl); + if (requestedUrl.origin !== appUrl.origin) { + return res.status(401).json({ message: "UNAUTHORIZED_REDIRECT" }); + } + return res.redirect(requestedUrl.pathname); }