Merge pull request #174 from MarcinHoppe/strict-string-whitelisting

kmaida · web-flow · commit e368cf124443 · 2018-05-30T08:08:02.000-04:00
Add strict string domain whitelisting
diff --git a/README.md b/README.md
@@ -167,11 +167,13 @@ angular
 
       ...
 
-      whiteListedDomains: [/api-version-\d+.myapp.com$/i, 'localhost']
+      whiteListedDomains: [/^api-version-\d+\.myapp\.com$/i, 'localhost']
     });
   });
 ```
 
+Regular expressions should be as strict as possible to prevent attackers from registering their own malicious domains to bypass the whitelist.
+
 ### Not Sending the JWT for Template Requests
 
 The `tokenGetter` method can have a parameter `options` injected by angular-jwt. This parameter is the options object of the current request.
diff --git a/dist/angular-jwt.js b/dist/angular-jwt.js
@@ -148,9 +148,14 @@ angular.module('angular-jwt.interceptor', [])
         var hostname = urlUtils.urlResolve(url).hostname.toLowerCase();
         for (var i = 0; i < options.whiteListedDomains.length; i++) {
           var domain = options.whiteListedDomains[i];
-          var regexp = domain instanceof RegExp ? domain : new RegExp(domain, 'i');
-          if (hostname.match(regexp)) {
-            return true;
+          if (domain instanceof RegExp) {
+            if (hostname.match(domain)) {
+              return true;
+            }
+          } else {
+            if (hostname === domain.toLowerCase()) {
+              return true;
+            }
           }
         }
 
diff --git a/dist/angular-jwt.min.js b/dist/angular-jwt.min.js
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "angular-jwt",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Library to help you work with JWTs on AngularJS",
   "main": "index.js",
   "license": "MIT",
diff --git a/src/angularJwt/services/interceptor.js b/src/angularJwt/services/interceptor.js
@@ -20,9 +20,14 @@ angular.module('angular-jwt.interceptor', [])
         var hostname = urlUtils.urlResolve(url).hostname.toLowerCase();
         for (var i = 0; i < options.whiteListedDomains.length; i++) {
           var domain = options.whiteListedDomains[i];
-          var regexp = domain instanceof RegExp ? domain : new RegExp(domain, 'i');
-          if (hostname.match(regexp)) {
-            return true;
+          if (domain instanceof RegExp) {
+            if (hostname.match(domain)) {
+              return true;
+            }
+          } else {
+            if (hostname === domain.toLowerCase()) {
+              return true;
+            }
           }
         }
 
diff --git a/test/unit/angularJwt/services/interceptorSpec.js b/test/unit/angularJwt/services/interceptorSpec.js
@@ -48,6 +48,8 @@ describe('interceptor', function() {
       $q.all([
         $http({url: 'http://Example.com/hello' }),
         $http({url: 'http://www.example.com/hello' }),
+        $http({url: 'http://wwwXexample.com/hello' }),
+        $http({url: 'http://whitelisted.example.com.evil.com/hello' }),
         $http({url: 'http://whitelisted.example.com/hello' })
       ]).then(function () {
         done();
@@ -59,6 +61,12 @@ describe('interceptor', function() {
       $httpBackend.expectGET('http://www.example.com/hello', function (headers) {
         return headers.Authorization === undefined;
       }).respond(200);
+      $httpBackend.expectGET('http://wwwXexample.com/hello', function (headers) {
+        return headers.Authorization === undefined;
+      }).respond(200);
+      $httpBackend.expectGET('http://whitelisted.example.com.evil.com/hello', function (headers) {
+        return headers.Authorization === undefined;
+      }).respond(200);
       $httpBackend.expectGET('http://whitelisted.example.com/hello', function (headers) {
         return headers.Authorization === 'Bearer 123';
       }).respond(200);
@@ -69,7 +77,7 @@ describe('interceptor', function() {
 
   it('should not add Authr headers to Cross Origin requests unless whitelisted with regexp', function (done) {
     module( function ($httpProvider, jwtOptionsProvider, jwtInterceptorProvider) {
-      jwtInterceptorProvider.whiteListedDomains = [/whitelisted(-pr-\d+)?\.Example\.com$/i]
+      jwtInterceptorProvider.whiteListedDomains = [/^whitelisted(-pr-\d+)?\.Example\.com$/i]
       jwtInterceptorProvider.tokenGetter = function() {
         return 123;
       }
@@ -80,6 +88,8 @@ describe('interceptor', function() {
       $q.all([
         $http({url: 'http://Example.com/hello' }),
         $http({url: 'http://www.example.com/hello' }),
+        $http({url: 'http://whitelisted-pr-123.example.com.evil.com/hello' }),
+        $http({url: 'http://extrawhitelisted-pr-123.example.com.evil.com/hello' }),
         $http({url: 'http://whitelisted-pr-123.example.com/hello' })
       ]).then(function () {
         done();
@@ -91,6 +101,12 @@ describe('interceptor', function() {
       $httpBackend.expectGET('http://www.example.com/hello', function (headers) {
         return headers.Authorization === undefined;
       }).respond(200);
+      $httpBackend.expectGET('http://whitelisted-pr-123.example.com.evil.com/hello', function (headers) {
+        return headers.Authorization === undefined;
+      }).respond(200);
+      $httpBackend.expectGET('http://extrawhitelisted-pr-123.example.com.evil.com/hello', function (headers) {
+        return headers.Authorization === undefined;
+      }).respond(200);
       $httpBackend.expectGET('http://whitelisted-pr-123.example.com/hello', function (headers) {
         return headers.Authorization === 'Bearer 123';
       }).respond(200);

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "angular-jwt",`
`3`		`- "version": "0.1.9",`
	`3`	`+ "version": "0.1.10",`
`4`	`4`	`"description": "Library to help you work with JWTs on AngularJS",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"license": "MIT",`