Use better sanitiser.

2026-04-24 16:25:15 +02:00 · 2023-09-06 14:06:16 +01:00
parent 87364137df
commit a02f373e79
2 changed files with 18 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -1,13 +1,19 @@
 const app = require("express")();

-function isRelativePath(path) {
-  return !/^(\w+:)?[/\\]{2}/.test(path);
+function isLocalUrl(path) {
+  try {
+    return (
+      new URL(path, "https://example.com").origin === "https://example.com"
+    );
+  } catch (e) {
+    return false;
+  }
 }

 app.get("/redirect", function (req, res) {
  // GOOD: check that we don't redirect to a different host
  let target = req.query["target"];
-  if (isRelativePath(target)) {
+  if (isLocalUrl(target)) {
    res.redirect(target);
  } else {
    res.redirect("/");
--- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirectGood2.js
@@ -1,13 +1,19 @@
 const app = require("express")();

-function isRelativePath(path) {
-  return !/^(\w+:)?[/\\]{2}/.test(path);
+function isLocalUrl(path) {
+  try {
+    return (
+      new URL(path, "https://example.com").origin === "https://example.com"
+    );
+  } catch (e) {
+    return false;
+  }
 }

 app.get("/redirect", function (req, res) {
  // GOOD: check that we don't redirect to a different host
  let target = req.query["target"];
-  if (isRelativePath(target)) {
+  if (isLocalUrl(target)) {
    res.redirect(target);
  } else {
    res.redirect("/");