feat!: validate referer to /reauth is valid

2022-05-20 15:05:29 -04:00 · 2022-05-20 15:05:29 -04:00 · 0dcaa6e150
commit 0dcaa6e150
parent e0742db22f
1 changed files with 6 additions and 2 deletions
--- a/app/server/routes.js
+++ b/app/server/routes.js
@ -10,11 +10,15 @@ const { parseBool } = require('./util');
 const config = require('./config');

 exports.reauth = function reauth(req, res) {
-  const r = req.headers.referer || '/';
+  let { referer } = req.headers;
+  console.log(`referer: ${referer}`);
+  if (!validator.isURL(referer, { host_whitelist: ['localhost'] })) referer = '/';
+  console.log(`referer: ${referer}`);
+
  res
    .status(401)
    .send(
-      `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${r}"></head><body bgcolor="#000"></body></html>`
+      `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${referer}"></head><body bgcolor="#000"></body></html>`
    );
 };