[release] v0.12.2

* Mitigate open redirect vulnerability in login page Current implementation won't allow full url redirection within local origin, and will allow open redirection with href like "//google.com". Comparing redirect url's origin with current origin will ensure the two share the same protocol, hostname, and port. * Update .clabot Add catmandx to list of contributors for creating pull request
azukaar · Nov 9, 2023 · df0f19b · df0f19b
1 parent 62e0050
commit df0f19b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/.clabot b/.clabot
@@ -1,4 +1,4 @@
 {
-  "contributors": ["azukaar", "jwr1", "Jogai", "InterN0te"],
+  "contributors": ["azukaar", "jwr1", "Jogai", "InterN0te", "catmandx"],
   "message": "We require contributors to sign our [Contributor License Agreement](https://github.com/azukaar/Cosmos-Server/blob/master/cla.md). In order for us to review and merge your code, add yourself to the .clabot file as contributor, as a way of signing the CLA."
 }
diff --git a/client/src/utils/indexs.js b/client/src/utils/indexs.js
@@ -43,7 +43,9 @@ export const redirectTo = (url) => {
 }
 
 export const redirectToLocal = (url) => {
-  if(url.startsWith("http://") || url.startsWith("https://")) {
+  let redirectUrl = new URL(url, window.location.href);
+  let currentLocation = window.location;
+  if (redirectUrl.origin != currentLocation.origin){
     throw new Error("URL must be local");
   }
   window.location.href = url;