fix(saml): correctly handle RelayState for post-auth redirect
RelayState is a standard SAML parameter used to preserve the target URL
during SSO flow. Updated implementation to properly read and forward
RelayState so users are redirected to the intended resource after
successful authentication.
The onConnect handler for GraphQL subscriptions was empty, allowing any
client to establish a WebSocket connection and subscribe to loggingLiveTrail
without authentication. Added JWT verification in onConnect using the same
RS256 credentials and permission checks (manage:system) used elsewhere.
Co-authored-by: kolega.dev <faizan@kolega.ai>
The loginRedirect cookie value was used directly in res.redirect() and
window.location.replace() without validation, allowing redirection to
arbitrary external URLs. Added validation to ensure the redirect target
is a relative path before use.
Co-authored-by: kolega.dev <faizan@kolega.ai>
* Added support for database socketPath in configure file when using dbClient mysql2 (mysql or mariadb)
* refactor: mysql dbConfig to conditionally set socketPath
Updated database configuration to conditionally include socketPath from WIKI.config.
* fix: socketPath assignment typo
---------
Co-authored-by: Nicolas Giard <github@ngpixel.com>
* Update render.js
# Improved handling of mustache expressions and v-pre attribute assignment
## Changes Made:
- Ensured that the parent tag of such text nodes is explicitly set to a `<p>` tag with the `v-pre` attribute.
- Added debug messages for better understanding of the script execution flow [THIS SHOULD REMOVED WHEN PUSHING TO PRODUCTION].
## Why it Works:
- When a mustache expression is found, the script either wraps it in a new `<p>` tag with the `v-pre` attribute or adds the `v-pre` attribute to the existing parent `<p>` tag.
- This approach ensures that the template code is not removed but encapsulated within `<p>` tags with the `v-pre` attribute, as required.
## Test Cases Passed:
1. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>`
2. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>`
3. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</p>`
4. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</xyz></p>`
5. `<p><xyz>{{constructor.constructor('alert("Test Case 8")')()}}<xyz>{{constructor.constructor('alert("Test Case 9")')()}}</xyz></p>`
This commit enhances the robustness and reliability of handling mustache expressions and ensures proper assignment of the `v-pre` attribute, to ensure that there is no room for the weaponization of the template code later in the rendering process.
* fix: move template expressions after dom-purify + handle text nodes without parent
---------
Co-authored-by: NGPixel <github@ngpixel.com>
* feat: added implementation for group mapping in SAML strategies
---------
Co-authored-by: Abderraouf El Gasser <abderraouf.elgasser@iktos.com>
Co-authored-by: Nicolas Giard <github@ngpixel.com>
HTTPS redirection rebuilds the full URL using req.originalUrl, which
includes query parameters (see
https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch,
appending the stringified query params to req.originalUrl resulted in
duplicate parameters, e.g.
wiki.js/callback?session=123&code=abc?session=123&code=abc
which caused errors when being redirected from an insecure (http://)
callback URL to a secure version when using OIDC (e.g. with keycloak).
This issue is probably rare, but in cases where HTTPS redirection is
enabled and a user tries to hit an insecure URL with query parameters,
it could cause problems.
VASANTH K
Kolega.dev
mod242
NGPixel
Felix Eckhofer
Mia Moir
Karl Berggren
ss033
scottnursten-22
Benoît des Ligneris
dhulripos
Craig Reyenga
Ole Christian Tvedt
Vasily Fedoseyev
Jacob Beneski
Ethan
CDN
Jasmine Tai
aelgasser
Pablo
Jason Minard
Jaeseo Park
Andrew McFadden
matt1097
Kyle Gehmlich
DerekJarvis
robinho81
Charlotte County Public Schools
Dan Nicholson
gueldi
Eric Knibbe
Leangseu Kim