Skip to content

Hotfix: Be more strict with safeRedirectUrl check#4675

Merged
emrysal merged 3 commits intomainfrom
hotfix/security-issue-callback
Sep 24, 2022
Merged

Hotfix: Be more strict with safeRedirectUrl check#4675
emrysal merged 3 commits intomainfrom
hotfix/security-issue-callback

Conversation

@hariombalhara
Copy link
Copy Markdown
Member

@hariombalhara hariombalhara commented Sep 23, 2022
edited
Loading

It assumes that the following URLs are in this format https://example.com (which is origin of a website) . .env.example confirms it. But if someone has accidentally used something like https://example.com/ (note terminating slash), then safeRedirectUrl would return WebApp URL.

CONSOLE_URL
WEBAPP_URL
WEBSITE_URL

Screenshot 2022-09-23 at 12 31 23 PM

For more details refer to internal thread: https://twist.com/a/195135/ch/589886/t/3786075/

@vercel
Copy link
Copy Markdown

vercel bot commented Sep 23, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
cal ✅ Ready (Inspect) Visit Preview Sep 24, 2022 at 7:44AM (UTC)

@hariombalhara hariombalhara changed the title Be more strict Hotfix: Be more strict with safeRedirectUrl check Sep 23, 2022
emrysal
emrysal requested changes Sep 23, 2022
View reviewed changes
hariombalhara
hariombalhara commented Sep 24, 2022
View reviewed changes
packages/lib/getSafeRedirectUrl.ts
throw new Error("Pass an absolute URL");
}

const urlParsed = new URL(url);
Copy link
Copy Markdown
Member Author

@hariombalhara hariombalhara Sep 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

safe to parse with URL because earlier check has ensured it is an absolute URL

@hariombalhara @emrysal
Apply suggestions from code review
f918cd4 
Co-authored-by: Alex van Andel <me@alexvanandel.com>
@emrysal emrysal merged commit 24635af into main Sep 24, 2022
@emrysal emrysal deleted the hotfix/security-issue-callback branch September 24, 2022 08:40
@PeerRich PeerRich added the core area: core, team members only label Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emrysal emrysal emrysal approved these changes

@zomars zomars Awaiting requested review from zomars

@agustif agustif Awaiting requested review from agustif

@PeerRich PeerRich Awaiting requested review from PeerRich

Assignees

No one assigned

Labels

core area: core, team members only

Projects

No open projects
Cal.com Core Roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hariombalhara @emrysal @PeerRich