fix potential vulnerability - codeql

2022-08-22 15:39:47 -04:00 · 2022-08-22 15:39:47 -04:00 · 7d6ab7cc87
parent 551dcc5cbf
commit 7d6ab7cc87
2 changed files with 9 additions and 2 deletions
--- a/routes/login.js
+++ b/routes/login.js
@ -36,7 +36,10 @@ router.route("/")
    .post(async (request, response) => {
    const userName = request.body.userName;
    const passwordPlain = request.body.password;
-    const redirectURL = getSafeRedirectURL(request.body.redirect);
+    const unsafeRedirectURL = request.body.redirect;
+    const redirectURL = getSafeRedirectURL(typeof (unsafeRedirectURL) === "string" ?
+        unsafeRedirectURL :
+        "");
    const isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain);
    let userObject;
    if (isAuthenticated) {
--- a/routes/login.ts
+++ b/routes/login.ts
@ -59,7 +59,11 @@ router.route("/")
        const userName = request.body.userName as string;
        const passwordPlain = request.body.password as string;

-        const redirectURL = getSafeRedirectURL(request.body.redirect);
+        const unsafeRedirectURL = request.body.redirect;
+
+        const redirectURL = getSafeRedirectURL(typeof (unsafeRedirectURL) === "string" ?
+            unsafeRedirectURL :
+            "");

        const isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain)
        let userObject: recordTypes.User;