parse-dashboard 8.0.0-alpha.4 → 8.0.0-alpha.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/Parse-Dashboard/Authentication.js +12 -2
  2. package/Parse-Dashboard/app.js +19 -1
  3. package/Parse-Dashboard/public/bundles/dashboard.bundle.js +1 -1
  4. package/package.json +1 -1
package/Parse-Dashboard/Authentication.js CHANGED
@@ -76,12 +76,22 @@ function initialize(app, options) {
76
76
  csrf(),
77
77
  (req,res,next) => {
78
78
  let redirect = 'apps';
79
+ let originalRedirect = null;
79
80
  if (req.body.redirect) {
80
- redirect = req.body.redirect.charAt(0) === '/' ? req.body.redirect.substring(1) : req.body.redirect
81
+ originalRedirect = req.body.redirect;
82
+ // Validate redirect to prevent open redirect vulnerability
83
+ if (originalRedirect.includes('://') || originalRedirect.startsWith('//')) {
84
+ // Reject absolute URLs and protocol-relative URLs
85
+ redirect = 'apps';
86
+ originalRedirect = null;
87
+ } else {
88
+ // Strip leading slash from redirect to prevent double slashes
89
+ redirect = originalRedirect.charAt(0) === '/' ? originalRedirect.substring(1) : originalRedirect;
90
+ }
81
91
  }
82
92
  return passport.authenticate('local', {
83
93
  successRedirect: `${self.mountPath}${redirect}`,
84
- failureRedirect: `${self.mountPath}login${req.body.redirect ? `?redirect=${req.body.redirect}` : ''}`,
94
+ failureRedirect: `${self.mountPath}login${originalRedirect ? `?redirect=${originalRedirect}` : ''}`,
85
95
  failureFlash : true
86
96
  })(req, res, next)
87
97
  },
package/Parse-Dashboard/app.js CHANGED
@@ -1062,8 +1062,26 @@ You have direct access to the Parse database through function calls, so you can
1062
1062
  }
1063
1063
 
1064
1064
  app.get('/login', csrf(), function(req, res) {
1065
- const redirectURL = req.url.includes('?redirect=') && req.url.split('?redirect=')[1].length > 1 && req.url.split('?redirect=')[1];
1065
+ let redirectURL = null;
1066
+ try {
1067
+ const url = new URL(req.url, 'http://localhost');
1068
+ redirectURL = url.searchParams.get('redirect');
1069
+ } catch (error) {
1070
+ console.warn('Invalid URL in login redirect:', error.message);
1071
+ }
1066
1072
  if (!users || (req.user && req.user.isAuthenticated)) {
1073
+ // Validate and sanitize redirect URL to prevent open redirect vulnerability
1074
+ if (redirectURL) {
1075
+ // Reject absolute URLs and protocol-relative URLs
1076
+ if (redirectURL.includes('://') || redirectURL.startsWith('//')) {
1077
+ redirectURL = null;
1078
+ } else {
1079
+ // Strip leading slash to prevent double slashes
1080
+ if (redirectURL.charAt(0) === '/') {
1081
+ redirectURL = redirectURL.substring(1);
1082
+ }
1083
+ }
1084
+ }
1067
1085
  return res.redirect(`${mountPath}${redirectURL || 'apps'}`);
1068
1086
  }
1069
1087