Merge pull request #6 from change/chris/fix-domain-vulnerability

Fix domain vulnerability
change · Jun 4, 2019 · f1d68a2 · f1d68a2
2 parents 54f4d5f + 8f294cb
commit f1d68a2
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/api/store.js b/api/store.js
@@ -37,13 +37,18 @@ class HttpError extends Error {
 }
 
 async function validate(longUrl) {
-  let host;
+  let parsed;
   debugLog(`validating longUrl ${longUrl}`);
   try {
-    ({ host } = url.parse(longUrl));
+    parsed = url.parse(longUrl);
   } catch (ex) {
     throw new HttpError(400, 'Not a valid URL');
   }
+  const { host, path } = parsed;
+  if (path.charAt(0) !== '/') {
+    // Disallow anything with a doctored path
+    throw new HttpError(400, 'Not a valid URL for shortening');
+  }
   const suffixMatcher = suffix => suffix === host || endsWith(host, `.${suffix}`);
   if (!find(domainSafeList, suffixMatcher)) {
     throw new HttpError(400, `Not an allowed domain for shortening: ${host}`);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@change-org/longlinks",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "A serverless URL shortener that leverages Amazon Lambda for short link creation, and S3 for link storage and redirection.",
   "author": "Change Engineering",
   "license": "MIT",

diff --git a/test/api.test.js b/test/api.test.js
@@ -126,6 +126,11 @@ describe('When the `url` property', () => {
     () => expectStatusForUrl('https://evildomain1.com', 400)
   );
 
+  test(
+    'even more sneakily prepends the allowed domain to a malicious domain with an encoded character',
+    () => expectStatusForUrl('https://www.domain1.com%2Eevil.com?foo=bar', 400)
+  );
+
   test(
     'contains an allowed domain string, but in the path. Nice try but still 400',
     () => expectStatusForUrl('https://www.evil.com/https://www.domain1.com', 400)