Skip to content

Commit

Permalink
fix(redirects): lock down redirect attempts, fixes #619
Browse files Browse the repository at this point in the history
  • Loading branch information
MrSwitch committed Sep 16, 2021
1 parent d51d745 commit 544e5ea
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 1 deletion.
9 changes: 8 additions & 1 deletion src/hello.js
Original file line number Diff line number Diff line change
Expand Up @@ -1413,7 +1413,14 @@ hello.utils.extend(hello.utils, {

function isValidUrl(url) {
var regexp = /^https?:/;
return regexp.test(url);
return regexp.test(url)

// If `HELLOJS_REDIRECT_URL` is defined in the window context, validate that the URL matches it.
&& (
!Object.prototype.hasOwnProperty.call(window, 'HELLOJS_REDIRECT_URL')
||
url.match(window.HELLOJS_REDIRECT_URL)
);
}

// Trigger a callback to authenticate
Expand Down
61 changes: 61 additions & 0 deletions tests/specs/unit/utils/responseHandler.js
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,67 @@ describe('utils.responseHandler', function() {
expect(spy.args[0][0]).to.match(/redirect_uri=/);
});

it('should redirect to page_uri', function() {
_state.page_uri = 'https://example.com';

_window.location = mockLocation('http://adodson.com/redirect.html?state=' + JSON.stringify(_state));

var spy = sinon.spy();
_window.location.assign = spy;

utils.responseHandler(_window, _parent);

// Should redirect to page_uri
expect(spy.args[0][0]).to.match(/https:\/\/example.com/);
});

// Prevent Client Side redirects using HELLOJS_REDIRECT_URL
[undefined, 'https://', 'https://example.com', /^https:\/\/(www.)?example.com/].forEach(HELLOJS_REDIRECT_URL => {

var PAGE_URI = 'https://example.com/path';

it(`should redirect to page_uri ${PAGE_URI} if 'HELLOJS_REDIRECT_URL=${HELLOJS_REDIRECT_URL}'`, function() {

_state.page_uri = PAGE_URI;

_window.location = mockLocation('http://adodson.com/redirect.html?state=' + JSON.stringify(_state));

var spy = sinon.spy();
_window.location.assign = spy;

if (HELLOJS_REDIRECT_URL !== undefined) {
_window.HELLOJS_REDIRECT_URL = HELLOJS_REDIRECT_URL;
}

utils.responseHandler(_window, _parent);

// Should redirect to page_uri
expect(spy.args[0][0]).to.eql(PAGE_URI);
});
});

[false, 'http://', 'https://anotherdomain.com'].forEach(HELLOJS_REDIRECT_URL => {

var PAGE_URI = 'https://example.com/path';

it(`should not redirect to page_uri ${PAGE_URI} if 'HELLOJS_REDIRECT_URL=${HELLOJS_REDIRECT_URL}'`, function() {
_state.page_uri = PAGE_URI;

_window.location = mockLocation('http://adodson.com/redirect.html?state=' + JSON.stringify(_state));

var spy = sinon.spy();
_window.location.assign = spy;

_window.HELLOJS_REDIRECT_URL = HELLOJS_REDIRECT_URL;

utils.responseHandler(_window, _parent);

// Should not redirect to anywhere
expect(spy.notCalled);
});
});


it('should return the access_token to the parent if the current window location contains a access_token and a state parameter containing a callback and network', function() {

var spy = sinon.spy();
Expand Down

0 comments on commit 544e5ea

Please sign in to comment.