search

vikejs / vike

🔨 Flexible, lean, community-driven, dependable, fast Vite-based frontend framework.
https://vike.dev
MIT License
4.39k stars 352 forks source link

createHttpResponseRedirect susceptible to Path-Based Cross-Site Scripting (xss) #1949

Closed martijndirksen closed 2 weeks ago

martijndirksen commented 2 weeks ago

Description

I noticed that the procedure for creating a HTTP redirect response also includes a hidden paragraph of the URL that is being redirected towards. However, this is exploitable with path based XSS as the URL is placed in the output without any filtering.

See the excerpt below:

function createHttpResponseRedirect(
  { url, statusCode }: UrlRedirect,
  // The URL we assume the redirect to be logically based on
  urlLogical: string
): HttpResponse {
  assertNoInfiniteHttpRedirect(url, urlLogical)
  assert(url)
  assert(statusCode)
  assert(300 <= statusCode && statusCode <= 399)
  const headers: ResponseHeaders = [['Location', url]]
  return createHttpResponse(
    statusCode,
    'text/html;charset=utf-8',
    headers,
    // For bots / programmatic crawlig: show what's going on.
    // For users: showing a blank page is probably better than a flickering text.
    `<p style="display: none">Redirecting to ${url}</p><script>console.log('This HTTP response was generated by Vike.')</script>`
  )

Some of the response redirection is triggered by URL normalization as well, so it can be hard to prevent this from a user perspective. Is it possible to sanitize the URL before placing it in the response? Or just omit it all together?

brillout commented 2 weeks ago

Fix pre-released as 0.4.200-commit-ac84558. Thank you for the bug report @martijndirksen!