authelia/BelongToDomain.ts at 4eaafb711561e8774ff8b8f0f7d6e89d42afbfe0 - authelia - Gitea: Nge-git sambil nge-tea

techies/authelia

mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00

Clement Michaud 42581dfe93 Fix open redirection vulnerability.

In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.

2018-11-17 17:48:20 +01:00

8 lines

301 B

TypeScript

Raw Blame History

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

 import { DomainExtractor } from "./DomainExtractor";
 export function BelongToDomain(url: string, domain: string): boolean {
   const urlDomain =  DomainExtractor.fromUrl(url);
   if (!urlDomain) return false;
   const idx = urlDomain.indexOf(domain);
   return idx + domain.length == urlDomain.length;
 }