public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adds console url to redirection whitelist

pull/2687/head
zomars 2022-05-05 16:29:17 -06:00
parent 82dfd807c8
commit 3baf7060f7
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
packages/lib/constants.ts
View File

@ -2,6 +2,9 @@ export const WEBAPP_URL = process.env.NEXT_PUBLIC_WEBAPP_URL || `https://${proce
/** @deprecated use `WEBAPP_URL` */
export const BASE_URL = WEBAPP_URL;
export const WEBSITE_URL = process.env.NEXT_PUBLIC_WEBSITE_URL || "https://cal.com";
export const CONSOLE_URL = WEBAPP_URL.startsWith("http://localhost")
? "http://localhost:3004"
: `https://console.cal.${process.env.VERCEL_ENV === "production" ? "com" : "dev"}`;
export const IS_PRODUCTION = process.env.NODE_ENV === "production";
export const TRIAL_LIMIT_DAYS = 14;
export const HOSTED_CAL_FEATURES = process.env.HOSTED_CAL_FEATURES || BASE_URL === "https://app.cal.com";

7
packages/lib/getSafeRedirectUrl.ts
View File

@ -1,14 +1,13 @@
import { WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.
export const getSafeRedirectUrl = (url: string | undefined) => {
url = url || "";
export const getSafeRedirectUrl = (url: string = "") => {
if (url.search(/^https?:\/\//) === -1) {
throw new Error("Pass an absolute URL");
}
// Avoid open redirection security vulnerability
if (!url.startsWith(WEBAPP_URL) && !url.startsWith(WEBSITE_URL)) {
if (![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => url.startsWith(u))) {
url = `${WEBAPP_URL}/`;
}