N21-2389 fix redirect uri (#3576)

* fix redirect formatting * use parse * add proper host * fix proper host * fix formatting * fix tests and edgecases
hpi-schul-cloud · Feb 3, 2025 · d8d085a · d8d085a
1 parent 66430bc
commit d8d085a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/config/global.js b/config/global.js
@@ -23,7 +23,7 @@ const {
 	FEATURE_EXTENSIONS_ENABLED,
 	SHOW_VERSION,
 	SW_ENABLED,
-	HOST,
+	HOST = 'http://localhost',
 	PORT = '3100',
 	FEATURE_ENTERTHECLOUD,
 	FEATURE_JWT_EXTENDED_TIMEOUT_ENABLED,

diff --git a/helpers/redirect.js b/helpers/redirect.js
@@ -1,12 +1,12 @@
-const url = require('url');
 const sanitizeHtml = require('sanitize-html');
+const global = require('../config/global');
 
 /**
  * Collapse leading slashes to one slash to avoid redirects to other websides
  * @param {string} redirectUrl URL to which the user should be redirected
  * @returns {string} URL without multiple leading slashes
  */
-const collapseLeadingSlashes = (redirectUrl) => redirectUrl.replace(/^\/*/, '/');
+const collapseLeadingSlashes = (redirectUrl) => redirectUrl.replace(/^\/+/, '/');
 
 /**
  * Transform given URL to valid (sanitized and relative) redirect URL
@@ -16,8 +16,13 @@ const collapseLeadingSlashes = (redirectUrl) => redirectUrl.replace(/^\/*/, '/')
 const getValidRedirect = (redirectUrl) => {
 	if (!redirectUrl) return '/';
 	const sanitizedUrl = sanitizeHtml(redirectUrl);
-	const relativeUrl = url.parse(sanitizedUrl).path || '/';
-	return collapseLeadingSlashes(relativeUrl);
+	let relativeUrl = '/';
+	const parsedUrl = URL.parse(collapseLeadingSlashes(sanitizedUrl), global.HOST);
+	if (parsedUrl) {
+		relativeUrl = parsedUrl.pathname + parsedUrl.search + parsedUrl.hash;
+	}
+
+	return relativeUrl;
 };
 
 const joinPathWithQuery = (path, paramsString) => (paramsString ? `${path}?${paramsString}` : path);