StyAndCo/zappyzep
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix some redirect vulnerabilities
All checks were successful
Code quality checks / build (23) (push) Successful in 34s
Details
Push code / build (push) Successful in 52s
Details

Browse source
This commit is contained in:
Lara 2024-11-02 22:46:23 +02:00
parent abea7b3e47
commit f4c6690f1f
Signed by: laratheprotogen
GPG key ID: 5C0296EB3165F98B
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
backend/src/api/auth.ts
View file

@ -114,7 +114,7 @@ export function initAuth(router: express.Router) {
router.get( router.get(
"/auth/new-login", "/auth/new-login",
(req: Request, res: Response, next: NextFunction) => { (req: Request, res: Response, next: NextFunction) => {
res.cookie("redir", `${env.DASHBOARD_URL}/new/login-callback/`, { httpOnly: true }); res.cookie("redir", `/new/login-callback/`, { httpOnly: true });
next(); next();
}, },
@ -128,13 +128,13 @@ export function initAuth(router: express.Router) {
if (req.user && req.user.apiKey) { if (req.user && req.user.apiKey) {
res.redirect( res.redirect(
req.cookies.redir req.cookies.redir
? `${req.cookies.redir.toString()}?apiKey=${req.user.apiKey}` ? `${env.DASHBOARD_URL}${req.cookies.redir.toString()}?apiKey=${req.user.apiKey}`
: `${env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`, : `${env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`,
); );
} else { } else {
res.redirect( res.redirect(
req.cookies.redir req.cookies.redir
? `${req.cookies.redir.toString()}?error=noAccess` ? `${env.DASHBOARD_URL}${req.cookies.redir.toString()}?error=noAccess`
: `${env.DASHBOARD_URL}/login-callback/?error=noAccess`, : `${env.DASHBOARD_URL}/login-callback/?error=noAccess`,
); );
} }