Open redirect mitigation PoC

This commit ditches ragec-based validation in favor of building an allow list based on URLModel prefixed routes. This is only a proof of concept, as routes do not necesarily start with a URLModel (e.g. /analytics)
intuitem · Oct 7, 2024 · 4856725 · 4856725
1 parent 614267e
commit 4856725
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/frontend/src/lib/utils/helpers.ts b/frontend/src/lib/utils/helpers.ts
@@ -1,3 +1,5 @@
+import { URL_MODEL } from './types';
+
 export function formatStringToDate(inputString: string, locale = 'en') {
 	const date = new Date(inputString);
 	return date.toLocaleDateString(locale, {
@@ -60,8 +62,8 @@ export function formatScoreValue(value: number, max_score: number, fullDonut = f
 }
 
 export function getSecureRedirect(url: any): string {
-	const SECURE_REDIRECT_URL_REGEX = /^\/[^/]/;
-	return typeof url === 'string' && SECURE_REDIRECT_URL_REGEX.test(url) ? url : '';
+	const allowedRoutePrefixes = URL_MODEL;
+	return typeof url === 'string' && allowedRoutePrefixes.includes(url.split('/')[1]) ? url : '';
 }
 
 export function darkenColor(hex: string, amount: number) {