-
Notifications
You must be signed in to change notification settings - Fork 162
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Fix the nextUrl validation test and test url path using regex Signed-off-by: Craig Perkins <[email protected]> * Update nextUrl validation regex Signed-off-by: Craig Perkins <[email protected]> * Add missing tests Signed-off-by: Craig Perkins <[email protected]> * Combine url split to single line Signed-off-by: Craig Perkins <[email protected]> * Update docstring Signed-off-by: Craig Perkins <[email protected]> * Simplify condition Signed-off-by: Craig Perkins <[email protected]> * Add origin on redirect Signed-off-by: Craig Perkins <[email protected]> * Remove absolute url on redirect Signed-off-by: Craig Perkins <[email protected]> * Update login-page tests Signed-off-by: Craig Perkins <[email protected]> * Remove url.origin Signed-off-by: Craig Perkins <[email protected]> * Account for server base path that can be numeric Signed-off-by: Craig Perkins <[email protected]> * Update docstring Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> (cherry picked from commit a44e265) Co-authored-by: Craig Perkins <[email protected]>
- Loading branch information
1 parent
6e89c3c
commit fc4f6a2
Showing
6 changed files
with
67 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,48 +69,54 @@ describe('test composeNextUrlQueryParam', () => { | |
describe('test validateNextUrl', () => { | ||
test('accept relative url', () => { | ||
const url = '/relative/path'; | ||
expect(validateNextUrl(url)).toEqual(undefined); | ||
expect(validateNextUrl(url, '')).toEqual(undefined); | ||
}); | ||
|
||
test('accept relative url with # and query', () => { | ||
const url = '/relative/path#hash?a=b'; | ||
expect(validateNextUrl(url)).toEqual(undefined); | ||
expect(validateNextUrl(url, undefined)).toEqual(undefined); | ||
}); | ||
|
||
test('reject url not start with /', () => { | ||
const url = 'exmaple.com/relative/path'; | ||
expect(validateNextUrl(url)).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
expect(validateNextUrl(url, '')).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
}); | ||
|
||
test('reject absolute url', () => { | ||
const url = 'https://exmaple.com/relative/path'; | ||
expect(validateNextUrl(url)).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
expect(validateNextUrl(url, '')).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
}); | ||
|
||
test('reject url starts with //', () => { | ||
const url = '//exmaple.com/relative/path'; | ||
expect(validateNextUrl(url)).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
expect(validateNextUrl(url, '')).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
}); | ||
|
||
test('accpet url has @ in query parameters', () => { | ||
const url = '/test/path?key=a@b&k2=v'; | ||
expect(validateNextUrl(url)).toEqual(undefined); | ||
expect(validateNextUrl(url, '')).toEqual(undefined); | ||
}); | ||
|
||
test('allow slash', () => { | ||
const url = '/'; | ||
expect(validateNextUrl(url)).toEqual(undefined); | ||
expect(validateNextUrl(url, '')).toEqual(undefined); | ||
}); | ||
|
||
test('allow dashboard url', () => { | ||
const url = | ||
'/_plugin/opensearch-dashboards/app/opensearch-dashboards#dashbard/dashboard-id?_g=(param=a&p=b)'; | ||
expect(validateNextUrl(url)).toEqual(undefined); | ||
expect(validateNextUrl(url, '')).toEqual(undefined); | ||
}); | ||
|
||
test('allow basePath with numbers', () => { | ||
const url = '/123/app/dashboards'; | ||
expect(validateNextUrl(url, '/123')).toEqual(undefined); | ||
}); | ||
|
||
// test cases from https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html | ||
test('test list', () => { | ||
const urlList = [ | ||
'/\t/example.com/', | ||
'<>//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ', | ||
'//;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ', | ||
'/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/', | ||
|
@@ -624,10 +630,17 @@ describe('test validateNextUrl', () => { | |
'//XY>.7d8T\\[email protected]+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/', | ||
'//XY>.7d8T\\[email protected]@google.com/', | ||
'//XY>.7d8T\\[email protected][email protected]/', | ||
'javascript://sub.domain.com/%0Aalert(1)', | ||
'javascript://%250Aalert(1)', | ||
'javascript://%250Aalert(1)//?1', | ||
'javascript://%250A1?alert(1):0', | ||
'%09Jav%09ascript:alert(document.domain)', | ||
'javascript://%250Alert(document.location=document.cookie)', | ||
'\\j\\av\\a\\s\\cr\\i\\pt\\:\\a\\l\\ert\\(1\\)', | ||
]; | ||
for (const url in urlList) { | ||
for (const url of urlList) { | ||
if (url) { | ||
expect(validateNextUrl(url)).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
expect(validateNextUrl(url, '')).toEqual(INVALID_NEXT_URL_PARAMETER_MESSAGE); | ||
} | ||
} | ||
}); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters