Login/registration vulnerable to malicious redirect to third-party sites

graphile / starter

Opinionated SaaS quick-start with pre-built user account and organization system for full-stack application development in React, Node.js, GraphQL and PostgreSQL. Powered by PostGraphile, TypeScript, Apollo Client, Graphile Worker, Graphile Migrate, GraphQL Code Generator, Ant Design and Next.js

https://graphile-starter.herokuapp.com

Other

1.73k stars 218 forks source link

Login/registration vulnerable to malicious redirect to third-party sites #320

Closed fnimick closed 1 year ago

fnimick commented 1 year ago

Summary

isSafe function in login does not correctly detect protocol-relative URLs and may redirect to third-party sites.

Steps to reproduce

Login at https://graphile-starter.herokuapp.com/login?next=%2F%2Fgoogle.com and observe that you are redirect to Google post-login.

Expected results

Invalid third-party site URL in query param should be ignored.

Actual results

User is redirected to third-party site.

benjie commented 1 year ago

Good catch; would you like to send a PR?

benjie commented 1 year ago

PR raised here: https://github.com/graphile/starter/pull/321

fnimick commented 1 year ago

This isn't actually resolved, at least in my testing - navigating to https://graphile-starter.herokuapp.com/login?next=%2F%2Fgoogle.com still redirects to Google post-login. I think this is happening client side in the post-login routing code.