Skip to content

Commit

Permalink
fix(security): remove XSS vulnerability in returnUrl query param
Browse files Browse the repository at this point in the history
The `returnUrl` query parameter can be used to execute malicious code. For
example, visiting
`http://localhost:9876/?return_url=javascript:alert(document.domain)` will
display an alert.
  • Loading branch information
Jonathan Ginsburg committed Feb 1, 2022
1 parent db53785 commit 839578c
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
3 changes: 3 additions & 0 deletions client/karma.js
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
self.updater.updateTestStatus('complete')
}
if (returnUrl) {
if (!/^https?:\/\//.test(returnUrl)) {
throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
}
location.href = returnUrl
}
}
Expand Down
3 changes: 3 additions & 0 deletions static/karma.js
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
self.updater.updateTestStatus('complete')
}
if (returnUrl) {
if (!/^https?:\/\//.test(returnUrl)) {
throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
}
location.href = returnUrl
}
}
Expand Down

0 comments on commit 839578c

Please sign in to comment.