From 39503b4ad7894969ccbf1bcdbd1de31d4f91b567 Mon Sep 17 00:00:00 2001 From: Timur Ercan Date: Sat, 14 Jan 2023 16:41:53 +0100 Subject: [PATCH] test --- packages/lib/getSafeRedirectUrl.ts | 42 ++++++++++++++---------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/packages/lib/getSafeRedirectUrl.ts b/packages/lib/getSafeRedirectUrl.ts index e32e94312..59c1e9cff 100644 --- a/packages/lib/getSafeRedirectUrl.ts +++ b/packages/lib/getSafeRedirectUrl.ts @@ -1,26 +1,24 @@ -// // import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants"; +// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it. +export const getSafeRedirectUrl = (url = "") => { + if (!url) { + return null; + } -// // It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it. -// export const getSafeRedirectUrl = (url = "") => { -// if (!url) { -// return null; -// } + //It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain + if (url.search(/^https?:\/\//) === -1) { + throw new Error("Pass an absolute URL"); + } -// //It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain -// if (url.search(/^https?:\/\//) === -1) { -// throw new Error("Pass an absolute URL"); -// } + const urlParsed = new URL(url); -// const urlParsed = new URL(url); + // Avoid open redirection security vulnerability + if ( + !["CONSOLE_URL", "WEBAPP_URL", "WEBSITE_URL"].some( + (u) => new URL(u).origin === urlParsed.origin + ) + ) { + url = `${"WEBAPP_URL"}/`; + } -// // Avoid open redirection security vulnerability -// if ( -// ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some( -// (u) => new URL(u).origin === urlParsed.origin -// ) -// ) { -// url = `${WEBAPP_URL}/`; -// } - -// return url; -// }; + return url; +};