Skip to content
This repository has been archived by the owner on Oct 1, 2024. It is now read-only.

Prevent XSS attack using /auth/enable_cookies #1455

Merged
merged 3 commits into from
May 23, 2020
Merged

Prevent XSS attack using /auth/enable_cookies #1455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
114ce1b
Prevent XSS attack using /auth/enable_cookies
seamusabshere May 23, 2020
4b7179e
2 more spots
seamusabshere May 23, 2020
8cce0f8
found another one
seamusabshere May 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions packages/koa-shopify-auth/src/auth/client/request-storage-access.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ const requestStorageAccess = (shop: string, prefix = '') => {
return `(function() {
function redirect() {
var targetInfo = {
myshopifyUrl: "https://${shop}",
hasStorageAccessUrl: "${prefix}/auth/inline?shop=${shop}",
doesNotHaveStorageAccessUrl: "${prefix}/auth/enable_cookies?shop=${shop}",
appTargetUrl: "/?shop=${shop}"
myshopifyUrl: "https://${encodeURIComponent(shop)}",
hasStorageAccessUrl: "${prefix}/auth/inline?shop=${encodeURIComponent(shop)}",
doesNotHaveStorageAccessUrl: "${prefix}/auth/enable_cookies?shop=${encodeURIComponent(shop)}",
appTargetUrl: "/?shop=${encodeURIComponent(shop)}"
}

if (window.top == window.self) {
Expand Down
2 changes: 1 addition & 1 deletion packages/koa-shopify-auth/src/auth/client/top-level-interaction.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ const topLevelInteraction = (shop: string, prefix = '') => {
return `(function() {
function setUpTopLevelInteraction() {
var TopLevelInteraction = new ITPHelper({
redirectUrl: "${prefix}/auth?shop=${shop}",
redirectUrl: "${prefix}/auth?shop=${encodeURIComponent(shop)}",
});

TopLevelInteraction.execute();
Expand Down
2 changes: 1 addition & 1 deletion packages/koa-shopify-auth/src/auth/create-enable-cookies.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export default function createEnableCookies({

<script>
window.apiKey = "${apiKey}";
window.shopOrigin = "https://${shop}";
window.shopOrigin = "https://${encodeURIComponent(shop)}";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the https:// be part of the encodeURIComponent call as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm pretty sure "shop" always comes back as foo.myshopify.com

a couple years ago, @ragalie did this

3284be1#diff-a15b7c0928331371cc40785dd637c644R16

which is a different way of fixing this, in a different place

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 I think it's okay since we only want to encode the value coming from the user

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense 👍


${itpHelper}
${topLevelInteraction(shop, prefix)}
Expand Down
2 changes: 1 addition & 1 deletion packages/koa-shopify-auth/src/auth/create-request-storage-access.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ export default function createRequestStorageAccess({

<script>
window.apiKey = "${apiKey}";
window.shopOrigin = "https://${shop}";
window.shopOrigin = "https://${encodeURIComponent(shop)}";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing here.

${itpHelper}
${storageAccessHelper}
${requestStorageAccess(shop, prefix)}
Expand Down