From 7f0ff08bd093e4b63131c060059756e622cb3889 Mon Sep 17 00:00:00 2001
From: Maksim Naidovich <Maxim.Naidovich@virtoway.com>
Date: Thu, 19 Dec 2024 17:07:30 +0100
Subject: [PATCH] fix: open redirect (#1509)

## Description

## References
### Jira-link:
https://virtocommerce.atlassian.net/browse/VCST-2467
### Artifact URL:

https://vc3prerelease.blob.core.windows.net/packages/vc-theme-b2b-vue-2.12.0-pr-1509-ffb6-ffb60af3.zip
---
 client-app/core/utilities/common/index.test.ts | 12 ++++++++++++
 client-app/core/utilities/common/index.ts      | 12 ++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/client-app/core/utilities/common/index.test.ts b/client-app/core/utilities/common/index.test.ts
index ad8da15986..ba6107d88d 100644
--- a/client-app/core/utilities/common/index.test.ts
+++ b/client-app/core/utilities/common/index.test.ts
@@ -104,6 +104,18 @@ describe("getReturnUrlValue", () => {
     const result = getReturnUrlValue();
     expect(result).toBeNull();
   });
+
+  it("should return null when returnUrl points to a different hostname", () => {
+    Object.defineProperty(window, "location", {
+      configurable: true,
+      value: {
+        href: "http://example.com?returnUrl=http://malicious.com/home",
+      },
+    });
+
+    const result = getReturnUrlValue();
+    expect(result).toBeNull();
+  });
 });
 
 describe("extractHostname", () => {
diff --git a/client-app/core/utilities/common/index.ts b/client-app/core/utilities/common/index.ts
index 48c0c10346..6e5fa8feb0 100644
--- a/client-app/core/utilities/common/index.ts
+++ b/client-app/core/utilities/common/index.ts
@@ -7,8 +7,16 @@ export function getBaseUrl(supportedLocales: string[]): string {
 }
 
 export function getReturnUrlValue(): string | null {
-  const { searchParams } = new URL(location.href);
-  return searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+  const { searchParams, origin, hostname } = new URL(location.href);
+  const returnUrl = searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+
+  if (returnUrl) {
+    const returnUrlObj = new URL(returnUrl, origin);
+    if (returnUrlObj.hostname === hostname) {
+      return returnUrl;
+    }
+  }
+  return null;
 }
 
 export function extractHostname(url: string) {