Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(clerk-js): Directory traversal relative URL detection #4483

Merged
merged 7 commits into from
Nov 6, 2024
Merged

fix(clerk-js): Directory traversal relative URL detection #4483

merged 7 commits into from
Nov 6, 2024

Conversation

BRKalow
Copy link
Member

@BRKalow BRKalow commented Nov 4, 2024

Description

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 4, 2024
edited
Loading

🦋 Changeset detected

Latest commit: cb9f3a1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@nikosdouvlis nikosdouvlis marked this pull request as ready for review November 5, 2024 19:49
BRKalow
BRKalow commented Nov 6, 2024
View reviewed changes
packages/clerk-js/src/utils/url.ts
(allowedRedirectOrigins: Array<string | RegExp> | undefined) => (_url: string) => {
if (!allowedRedirectOrigins) {
return true;
export const isAllowedRedirect =
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function now deals with full URLs, instead of potentially relative URLs as well. This makes our checks more consistent, and removes situations where we treat a relative URL as okay, make it absolute, and then it ends up being problematic.

BRKalow
BRKalow commented Nov 6, 2024
View reviewed changes
packages/clerk-js/src/utils/__tests__/url.test.ts
@@ -84,18 +84,38 @@ describe('isValidUrl(url,base)', () => {
});
});

describe('isRelativeUrl(url,base)', () => {
describe('isProblematicUrl(url)', () => {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could potentially do with more test cases here, but with the shift to checking against full URLs we get more guarantees from the existing origin check.

@nikosdouvlis nikosdouvlis merged commit 9557b55 into main Nov 6, 2024
6 checks passed
@nikosdouvlis nikosdouvlis deleted the brk.fix/redirect-validation branch November 6, 2024 05:25
@clerk-cookie clerk-cookie mentioned this pull request Nov 5, 2024
Merged
@nikosdouvlis nikosdouvlis mentioned this pull request Nov 6, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

Assignees
No one assigned
Labels
clerk-js
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BRKalow @nikosdouvlis @clerk-cookie