juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import utils = require('../lib/utils')
7
import challengeUtils = require('../lib/challengeUtils')
8
import { type Request, type Response, type NextFunction } from 'express'
9
import { challenges } from '../data/datacache'
10

11
const security = require('../lib/insecurity')
12

13
module.exports = function performRedirect () {
14
  return ({ query }: Request, res: Response, next: NextFunction) => {
15
    const toUrl: string = query.to as string
16
    if (security.isRedirectAllowed(toUrl)) {
17
      challengeUtils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
18
      challengeUtils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
19
      res.redirect(toUrl)
20
    } else {
21
      res.status(406)
22
      next(new Error('Unrecognized target URL for redirect: ' + toUrl))
23
    }
24
  }
25
}
26

27
function isUnintendedRedirect (toUrl: string) {
28
  let unintended = true
29
  for (const allowedUrl of security.redirectAllowlist) {
30
    unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
31
  }
32
  return unintended
33
}
34