Ensure the redirect path starts with a slash (#210)

ottokruse · web-flow · commit afeedd2dd1b4 · 2022-08-11T10:19:40.000+02:00
diff --git a/src/lambda-edge/parse-auth/index.ts b/src/lambda-edge/parse-auth/index.ts
@@ -30,7 +30,7 @@ export const handler: CloudFrontRequestHandler = async (event) => {
       cookies,
     });
     CONFIG.logger.debug("Query string and cookies are valid");
-    redirectedFromUri += requestedUri;
+    redirectedFromUri += common.ensureValidRedirectPath(requestedUri);
 
     const body = stringifyQueryString({
       grant_type: "authorization_code",
diff --git a/src/lambda-edge/refresh-auth/index.ts b/src/lambda-edge/refresh-auth/index.ts
@@ -76,9 +76,9 @@ export const handler: CloudFrontRequestHandler = async (event) => {
         location: [
           {
             key: "location",
-            value: `https://${domainName}${
-              typeof requestedUri === "string" ? requestedUri : "/"
-            }`,
+            value: `https://${domainName}${common.ensureValidRedirectPath(
+              requestedUri
+            )}`,
           },
         ],
         "set-cookie": common.generateCookieHeaders.refresh({
diff --git a/src/lambda-edge/shared/shared.ts b/src/lambda-edge/shared/shared.ts
@@ -605,3 +605,8 @@ export function generateSecret(
     .map(() => allowedCharacters[randomInt(0, allowedCharacters.length)])
     .join("");
 }
+
+export function ensureValidRedirectPath(path: unknown) {
+  if (typeof path !== "string") return "/";
+  return path.startsWith("/") ? path : `/${path}`;
+}

Original file line number	Diff line number	Diff line change
`@@ -605,3 +605,8 @@ export function generateSecret(`
`605`	`605`	`.map(() => allowedCharacters[randomInt(0, allowedCharacters.length)])`
`606`	`606`	`.join("");`
`607`	`607`	`}`
	`608`	`+`
	`609`	`+export function ensureValidRedirectPath(path: unknown) {`
	`610`	`+ if (typeof path !== "string") return "/";`
	`611`	+ return path.startsWith("/") ? path : `/${path}`;
	`612`	`+}`