Skip to content

Commit

Permalink
Merge pull request #7027 from topcoder-platform/pm-204
Browse files Browse the repository at this point in the history 
fix(PM-204): open redirect issues
  • Loading branch information
@hentrymartin
hentrymartin authored Jan 13, 2025
2 parents d2763d8 + df7dc05 commit 3a6e94f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 5 deletions.
13 changes: 11 additions & 2 deletions src/server/routes/contentful.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
getService,
getSpaceId,
articleVote,
ALLOWED_DOMAINS,
} from '../services/contentful';

const cors = require('cors');
Expand All @@ -37,7 +38,11 @@ routes.use(
version,
} = req.params;
const spaceId = getSpaceId(spaceName);
res.redirect(`https://${ASSETS_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
if (!ALLOWED_DOMAINS.includes(ASSETS_DOMAIN)) {
throw new Error('Invalid domain detected!');
}
const url = new URL(`https://${ASSETS_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
res.redirect(url.href);
},
);

Expand All @@ -52,8 +57,12 @@ routes.use(
spaceName,
version,
} = req.params;
if (!ALLOWED_DOMAINS.includes(IMAGES_DOMAIN)) {
throw new Error('Invalid domain detected!');
}
const spaceId = getSpaceId(spaceName);
res.redirect(`https://${IMAGES_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
const url = new URL(`https://${IMAGES_DOMAIN}/spaces/${spaceId}/environments/${environment}/${id}/${version}/${name}`);
res.redirect(url.href);
},
);

Expand Down
1 change: 1 addition & 0 deletions src/server/services/contentful.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ const PREVIEW_URL = 'https://preview.contentful.com/spaces';
export const ASSETS_DOMAIN = 'assets.ctfassets.net';
export const IMAGES_DOMAIN = 'images.ctfassets.net';

export const ALLOWED_DOMAINS = [ASSETS_DOMAIN, IMAGES_DOMAIN];
const MAX_FETCH_RETRIES = 5;

/**
Expand Down
11 changes: 8 additions & 3 deletions src/shared/components/TopcoderHeader/index.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ import './style.scss';
/* global window, document */

const BASE_URL = config.URL.BASE;
const VALID_BASE_URLS = ['https://www.topcoder-dev.com', 'https://www.topcoder.com'];

const MENU = [{
title: 'Compete',
Expand Down Expand Up @@ -426,9 +427,13 @@ export default class TopcoderHeader extends React.Component {
ref={(input) => { this.searchInput = input; }}
onKeyPress={(event) => {
if (event.key === 'Enter') {
window.location = `${BASE_URL}/search/members?q=${
encodeURIComponent(event.target.value)
}`;
if (!VALID_BASE_URLS.includes(BASE_URL)) {
return;
}
const query = event.target.value.trim();
const url = new URL(`${BASE_URL}/search/members`);
url.searchParams.append('q', query);
window.location = url.href;
}
}}
onBlur={closeSearch}
Expand Down

0 comments on commit 3a6e94f

Please sign in to comment.