From 3beec33efe35ca59f1b71d39d00bd6a4ee64a0f9 Mon Sep 17 00:00:00 2001 From: kilemensi Date: Wed, 4 Oct 2023 09:50:38 +0300 Subject: [PATCH 1/3] Fix security issue --- .../src/pages/api/v1/draft/disable-draft.js | 5 +++++ .../src/pages/api/v1/draft/index.page.js | 12 ++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 apps/charterafrica/src/pages/api/v1/draft/disable-draft.js diff --git a/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js b/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js new file mode 100644 index 000000000..39febffb5 --- /dev/null +++ b/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js @@ -0,0 +1,5 @@ +// By default, the Draft Mode session ends when the browser is closed. +// This method clears it manually / on demand. +export default function handler(req, res) { + res.setDraftMode({ enable: false }); +} diff --git a/apps/charterafrica/src/pages/api/v1/draft/index.page.js b/apps/charterafrica/src/pages/api/v1/draft/index.page.js index 33bdc28f7..1c8385e03 100644 --- a/apps/charterafrica/src/pages/api/v1/draft/index.page.js +++ b/apps/charterafrica/src/pages/api/v1/draft/index.page.js @@ -3,10 +3,18 @@ export default async function handler(req, res) { // make sure the user requesting to preview, is logged into Payload // See "Tip" on: https://payloadcms.com/docs/authentication/overview#token-based-auth if (!req.user) { - return res.status(500).json({ message: "UNAUTHORIZED_USER" }); + return res.status(401).json({ message: "UNAUTHORIZED_USER" }); } const { slug } = req.query; res.setDraftMode({ enable: true }); - return res.redirect(slug); + // Guard against open redirect vulnerabilities + // Since slug will be a path, redirect to pathname instead of original slug + // just in case + const appUrl = new URL(process.env.NEXT_PUBLIC_APP_URL); + const requestedUrl = new URL(slug, appUrl); + if (requestedUrl.origin !== appUrl.origin) { + return res.status(401).json({ message: "UNAUTHORIZED_REDIRECT" }); + } + return res.redirect(requestedUrl.pathname); } From 277e087e9409e33ff6a5a85eeb055893636b9825 Mon Sep 17 00:00:00 2001 From: kilemensi Date: Wed, 4 Oct 2023 09:56:13 +0300 Subject: [PATCH 2/3] Bump charterafrica version 0.1.9 -> 0.1.10 --- apps/charterafrica/contrib/dokku/Dockerfile | 2 +- apps/charterafrica/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/charterafrica/contrib/dokku/Dockerfile b/apps/charterafrica/contrib/dokku/Dockerfile index 96ea957bc..3886afd27 100644 --- a/apps/charterafrica/contrib/dokku/Dockerfile +++ b/apps/charterafrica/contrib/dokku/Dockerfile @@ -1 +1 @@ -FROM codeforafrica/charterafrica-ui:0.1.9 +FROM codeforafrica/charterafrica-ui:0.1.10 diff --git a/apps/charterafrica/package.json b/apps/charterafrica/package.json index a18844b8c..0c0bf33f9 100644 --- a/apps/charterafrica/package.json +++ b/apps/charterafrica/package.json @@ -1,6 +1,6 @@ { "name": "charterafrica", - "version": "0.1.9", + "version": "0.1.10", "private": true, "author": "Code for Africa ", "description": "This is the official code for https://charter.africa site", From 71e28c4a2aafa615bfbf99ef96813521c7a20950 Mon Sep 17 00:00:00 2001 From: kilemensi Date: Wed, 4 Oct 2023 10:31:12 +0300 Subject: [PATCH 3/3] Move disable-draft outside /draft --- .../api/v1/{draft/disable-draft.js => disable-draft.page.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apps/charterafrica/src/pages/api/v1/{draft/disable-draft.js => disable-draft.page.js} (100%) diff --git a/apps/charterafrica/src/pages/api/v1/draft/disable-draft.js b/apps/charterafrica/src/pages/api/v1/disable-draft.page.js similarity index 100% rename from apps/charterafrica/src/pages/api/v1/draft/disable-draft.js rename to apps/charterafrica/src/pages/api/v1/disable-draft.page.js