security: validate loginRedirect cookie to prevent open redirect

The loginRedirect cookie value was used directly in res.redirect() and window.location.replace() without validation, allowing redirection to arbitrary external URLs. Added validation to ensure the redirect target is a relative path before use.
2 weeks ago · 321a9182ed
parent 6ae53bf1bd
commit 321a9182ed
2 changed files with 20 additions and 8 deletions
--- a/client/components/login.vue
+++ b/client/components/login.vue
@ -644,16 +644,22 @@ export default {
        Cookies.set('jwt', respObj.jwt, { expires: 365, secure: window.location.protocol === 'https:' })
        _.delay(() => {
          const loginRedirect = Cookies.get('loginRedirect')
+          const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
          if (loginRedirect === '/' && respObj.redirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(respObj.redirect)
-          } else if (loginRedirect) {
+          } else if (isValidRedirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(loginRedirect)
-          } else if (respObj.redirect) {
-            window.location.replace(respObj.redirect)
          } else {
-            window.location.replace('/')
+            if (loginRedirect) {
+              Cookies.remove('loginRedirect')
+            }
+            if (respObj.redirect) {
+              window.location.replace(respObj.redirect)
+            } else {
+              window.location.replace('/')
+            }
          }
        }, 1000)
      }
--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@ -73,16 +73,22 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
    res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())

    const loginRedirect = req.cookies['loginRedirect']
+    const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
    if (loginRedirect === '/' && authResult.redirect) {
      res.clearCookie('loginRedirect')
      res.redirect(authResult.redirect)
-    } else if (loginRedirect) {
+    } else if (isValidRedirect) {
      res.clearCookie('loginRedirect')
      res.redirect(loginRedirect)
-    } else if (authResult.redirect) {
-      res.redirect(authResult.redirect)
    } else {
-      res.redirect('/')
+      if (loginRedirect) {
+        res.clearCookie('loginRedirect')
+      }
+      if (authResult.redirect) {
+        res.redirect(authResult.redirect)
+      } else {
+        res.redirect('/')
+      }
    }
  } catch (err) {
    next(err)