From 984514d7ebdf0f76c1cc66fc24b8d98fadb97018 Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 23 Mar 2017 12:46:20 -0600 Subject: [PATCH] check whitelist before redirecting --- services/users.js | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/services/users.js b/services/users.js index ac1280664..0bce64425 100644 --- a/services/users.js +++ b/services/users.js @@ -1,4 +1,5 @@ const bcrypt = require('bcrypt'); +const url = require('url'); const jwt = require('jsonwebtoken'); const Wordlist = require('./wordlist'); const errors = require('../errors'); @@ -13,6 +14,7 @@ const USER_ROLES = require('../models/user').USER_ROLES; const RECAPTCHA_WINDOW_SECONDS = 60 * 10; // 10 minutes. const RECAPTCHA_INCORRECT_TRIGGER = 5; // after 3 incorrect attempts, recaptcha will be required. +const SettingsService = require('./settings'); const ActionsService = require('./actions'); // In the event that the TALK_SESSION_SECRET is missing but we are testing, then @@ -485,8 +487,11 @@ module.exports = class UsersService { email = email.toLowerCase(); - return UserModel.findOne({profiles: {$elemMatch: {id: email}}}) - .then((user) => { + return Promise.all([ + UserModel.findOne({profiles: {$elemMatch: {id: email}}}), + SettingsService.retrieve() + ]) + .then(([user, settings]) => { if (!user) { // Since we don't want to reveal that the email does/doesn't exist @@ -495,6 +500,17 @@ module.exports = class UsersService { return; } + let redirectDomain; + try { + redirectDomain = url.parse(loc).hostname; + } catch (e) { + return Promise.reject('redirect location is invalid'); + } + + if (settings.domains.whitelist.indexOf(redirectDomain) === -1) { + return Promise.reject('redirect location is not on the list of acceptable domains'); + } + const payload = { jti: uuid.v4(), email,