juice-shop
33 строки · 1.4 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import utils = require('../lib/utils')
7import challengeUtils = require('../lib/challengeUtils')
8import { type Request, type Response, type NextFunction } from 'express'
9import { challenges } from '../data/datacache'
10
11const security = require('../lib/insecurity')
12
13module.exports = function performRedirect () {
14return ({ query }: Request, res: Response, next: NextFunction) => {
15const toUrl: string = query.to as string
16if (security.isRedirectAllowed(toUrl)) {
17challengeUtils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
18challengeUtils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
19res.redirect(toUrl)
20} else {
21res.status(406)
22next(new Error('Unrecognized target URL for redirect: ' + toUrl))
23}
24}
25}
26
27function isUnintendedRedirect (toUrl: string) {
28let unintended = true
29for (const allowedUrl of security.redirectAllowlist) {
30unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
31}
32return unintended
33}
34