cal.pub0.org/packages/lib/getSafeRedirectUrl.ts

import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";

// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.
export const getSafeRedirectUrl = (url = "") => {
  if (!url) {
    return null;
  }

  //It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain
  if (url.search(/^https?:\/\//) === -1) {
    throw new Error("Pass an absolute URL");
  }

  const urlParsed = new URL(url);

  // Avoid open redirection security vulnerability
  if (![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => new URL(u).origin === urlParsed.origin)) {
    url = `${WEBAPP_URL}/`;
  }

  return url;
};
Adds console url to redirection whitelist 2022-05-05 22:29:17 +00:00			`import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";`
Make sure that absolute URL is of WEBAPP only (#2624) 2022-04-27 14:28:36 +00:00
			`// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.`
Fix hubspot callback (#3195) Co-authored-by: Leo Giovanetti <hello@leog.me> 2022-06-30 07:01:07 +00:00			`export const getSafeRedirectUrl = (url = "") => {`
			`if (!url) {`
			`return null;`
			`}`
Make sure returnTo is correct URL (#6189) * make sure returno is safe * More fixes 2023-01-05 19:55:55 +00:00
			`//It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain`
Make sure that absolute URL is of WEBAPP only (#2624) 2022-04-27 14:28:36 +00:00			`if (url.search(/^https?:\/\//) === -1) {`
			`throw new Error("Pass an absolute URL");`
			`}`

Hotfix: Be more strict with safeRedirectUrl check (#4675) * Be more strict * Apply suggestions from code review Co-authored-by: Alex van Andel <me@alexvanandel.com> 2022-09-24 08:40:49 +00:00			`const urlParsed = new URL(url);`

Make sure that absolute URL is of WEBAPP only (#2624) 2022-04-27 14:28:36 +00:00			`// Avoid open redirection security vulnerability`
Hotfix: Be more strict with safeRedirectUrl check (#4675) * Be more strict * Apply suggestions from code review Co-authored-by: Alex van Andel <me@alexvanandel.com> 2022-09-24 08:40:49 +00:00			`if (![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => new URL(u).origin === urlParsed.origin)) {`
Make sure that absolute URL is of WEBAPP only (#2624) 2022-04-27 14:28:36 +00:00			url = `${WEBAPP_URL}/`;
			`}`

			`return url;`
			`};`