Skip to content

Commit 3a6e94f

Browse files
hentrymartinhentrymartin
authored
Merge pull request #7027 from topcoder-platform/pm-204
fix(PM-204): open redirect issues
2 parents d2763d8 + df7dc05 commit 3a6e94f

File tree

3 files changed

+20
-5
lines changed

3 files changed

+20
-5
lines changed

src/server/routes/contentful.js

+11-2
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import {
1212
getService,
1313
getSpaceId,
1414
articleVote,
15+
ALLOWED_DOMAINS,
1516
} from '../services/contentful';
1617

1718
const cors = require('cors');
@@ -37,7 +38,11 @@ routes.use(
3738
version,
3839
} = req.params;
3940
const spaceId = getSpaceId(spaceName);
40-
res.redirect(`https://${ASSETS_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
41+
if (!ALLOWED_DOMAINS.includes(ASSETS_DOMAIN)) {
42+
throw new Error('Invalid domain detected!');
43+
}
44+
const url = new URL(`https://${ASSETS_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
45+
res.redirect(url.href);
4146
},
4247
);
4348

@@ -52,8 +57,12 @@ routes.use(
5257
spaceName,
5358
version,
5459
} = req.params;
60+
if (!ALLOWED_DOMAINS.includes(IMAGES_DOMAIN)) {
61+
throw new Error('Invalid domain detected!');
62+
}
5563
const spaceId = getSpaceId(spaceName);
56-
res.redirect(`https://${IMAGES_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
64+
const url = new URL(`https://${IMAGES_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
65+
res.redirect(url.href);
5766
},
5867
);
5968

src/server/services/contentful.js

+1
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ const PREVIEW_URL = 'https://preview.contentful.com/spaces';
2121
export const ASSETS_DOMAIN = 'assets.ctfassets.net';
2222
export const IMAGES_DOMAIN = 'images.ctfassets.net';
2323

24+
export const ALLOWED_DOMAINS = [ASSETS_DOMAIN, IMAGES_DOMAIN];
2425
const MAX_FETCH_RETRIES = 5;
2526

2627
/**

src/shared/components/TopcoderHeader/index.jsx

+8-3
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ import './style.scss';
4444
/* global window, document */
4545

4646
const BASE_URL = config.URL.BASE;
47+
const VALID_BASE_URLS = ['https://www.topcoder-dev.com', 'https://www.topcoder.com'];
4748

4849
const MENU = [{
4950
title: 'Compete',
@@ -426,9 +427,13 @@ export default class TopcoderHeader extends React.Component {
426427
ref={(input) => { this.searchInput = input; }}
427428
onKeyPress={(event) => {
428429
if (event.key === 'Enter') {
429-
window.location = `${BASE_URL}/search/members?q=${
430-
encodeURIComponent(event.target.value)
431-
}`;
430+
if (!VALID_BASE_URLS.includes(BASE_URL)) {
431+
return;
432+
}
433+
const query = event.target.value.trim();
434+
const url = new URL(`${BASE_URL}/search/members`);
435+
url.searchParams.append('q', query);
436+
window.location = url.href;
432437
}
433438
}}
434439
onBlur={closeSearch}

0 commit comments

Comments
 (0)