fix(client): validate url to improve security

This commit is contained in:
syuilo 2023-02-09 18:01:12 +09:00
parent 6641b13b4c
commit 70fe23a3ce
2 changed files with 3 additions and 1 deletions

View file

@ -77,6 +77,8 @@ export default defineComponent({
accepted() { accepted() {
this.state = 'accepted'; this.state = 'accepted';
if (this.session.app.callbackUrl) { if (this.session.app.callbackUrl) {
const url = new URL(this.session.app.callbackUrl);
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`; location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
} }
}, onLogin(res) { }, onLogin(res) {

View file

@ -70,7 +70,7 @@ async function accept(): Promise<void> {
state = 'accepted'; state = 'accepted';
if (props.callback) { if (props.callback) {
const cbUrl = new URL(props.callback); const cbUrl = new URL(props.callback);
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url'); if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(cbUrl.protocol)) throw new Error('invalid url');
cbUrl.searchParams.set('session', props.session); cbUrl.searchParams.set('session', props.session);
location.href = cbUrl.href; location.href = cbUrl.href;
} }