fix: validate loginRedirect cookie to prevent open redirect (#7923)

The loginRedirect cookie value was used directly in res.redirect() and window.location.replace() without validation, allowing redirection to arbitrary external URLs. Added validation to ensure the redirect target is a relative path before use. Co-authored-by: kolega.dev <faizan@kolega.ai>
1 week ago · 7ae6635d16
parent 6ae53bf1bd
commit 7ae6635d16
2 changed files with 20 additions and 8 deletions
--- a/client/components/login.vue
+++ b/client/components/login.vue
@ -644,16 +644,22 @@ export default {
        Cookies.set('jwt', respObj.jwt, { expires: 365, secure: window.location.protocol === 'https:' })
        _.delay(() => {
          const loginRedirect = Cookies.get('loginRedirect')
+          const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
          if (loginRedirect === '/' && respObj.redirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(respObj.redirect)
-          } else if (loginRedirect) {
+          } else if (isValidRedirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(loginRedirect)
-          } else if (respObj.redirect) {
-            window.location.replace(respObj.redirect)
          } else {
-            window.location.replace('/')
+            if (loginRedirect) {
+              Cookies.remove('loginRedirect')
+            }
+            if (respObj.redirect) {
+              window.location.replace(respObj.redirect)
+            } else {
+              window.location.replace('/')
+            }
          }
        }, 1000)
      }
--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@ -73,16 +73,22 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
    res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())

    const loginRedirect = req.cookies['loginRedirect']
+    const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
    if (loginRedirect === '/' && authResult.redirect) {
      res.clearCookie('loginRedirect')
      res.redirect(authResult.redirect)
-    } else if (loginRedirect) {
+    } else if (isValidRedirect) {
      res.clearCookie('loginRedirect')
      res.redirect(loginRedirect)
-    } else if (authResult.redirect) {
-      res.redirect(authResult.redirect)
    } else {
-      res.redirect('/')
+      if (loginRedirect) {
+        res.clearCookie('loginRedirect')
+      }
+      if (authResult.redirect) {
+        res.redirect(authResult.redirect)
+      } else {
+        res.redirect('/')
+      }
    }
  } catch (err) {
    next(err)