fix: open redirect (#1509)

## Description ## References ### Jira-link: https://virtocommerce.atlassian.net/browse/VCST-2467 ### Artifact URL: https://vc3prerelease.blob.core.windows.net/packages/vc-theme-b2b-vue-2.12.0-pr-1509-ffb6-ffb60af3.zip
VirtoCommerce · Dec 19, 2024 · 7f0ff08 · 7f0ff08
1 parent f2dde1e
commit 7f0ff08
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/client-app/core/utilities/common/index.test.ts b/client-app/core/utilities/common/index.test.ts
@@ -104,6 +104,18 @@ describe("getReturnUrlValue", () => {
     const result = getReturnUrlValue();
     expect(result).toBeNull();
   });
+
+  it("should return null when returnUrl points to a different hostname", () => {
+    Object.defineProperty(window, "location", {
+      configurable: true,
+      value: {
+        href: "http://example.com?returnUrl=http://malicious.com/home",
+      },
+    });
+
+    const result = getReturnUrlValue();
+    expect(result).toBeNull();
+  });
 });
 
 describe("extractHostname", () => {

diff --git a/client-app/core/utilities/common/index.ts b/client-app/core/utilities/common/index.ts
@@ -7,8 +7,16 @@ export function getBaseUrl(supportedLocales: string[]): string {
 }
 
 export function getReturnUrlValue(): string | null {
-  const { searchParams } = new URL(location.href);
-  return searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+  const { searchParams, origin, hostname } = new URL(location.href);
+  const returnUrl = searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+
+  if (returnUrl) {
+    const returnUrlObj = new URL(returnUrl, origin);
+    if (returnUrlObj.hostname === hostname) {
+      return returnUrl;
+    }
+  }
+  return null;
 }
 
 export function extractHostname(url: string) {