fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)

* Open redirect vulnerabilty mitigation

* Refacted Open Redirect to user configurable and corrected incorrect security variable names.

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
This commit is contained in:
daneallen
2020-05-29 18:24:20 -04:00
committed by GitHub
parent 4b93e04261
commit 20e6bc1a70
5 changed files with 27 additions and 3 deletions

View File

@@ -20,6 +20,15 @@
v-card-info(color='red')
span Make sure to understand the implications before turning on / off a security feature.
v-card-text
v-switch.mt-3(
inset
label='Block Open Redirect'
color='red darken-2'
v-model='config.securityOpenRedirect'
persistent-hint
hint='Prevents user controlled URLs from directing to websites outside of your wiki. This provides Open Redirect protection.'
)
v-switch.mt-3(
inset
label='Block IFrame Embedding'
@@ -145,6 +154,7 @@ export default {
config: {
uploadMaxFileSize: 0,
uploadMaxFiles: 0,
securityOpenRedirect: true,
securityIframe: true,
securityReferrerPolicy: true,
securityTrustProxy: true,
@@ -175,6 +185,7 @@ export default {
mutation (
$uploadMaxFileSize: Int
$uploadMaxFiles: Int
$securityOpenRedirect: Boolean
$securityIframe: Boolean
$securityReferrerPolicy: Boolean
$securityTrustProxy: Boolean
@@ -188,6 +199,7 @@ export default {
updateConfig(
uploadMaxFileSize: $uploadMaxFileSize,
uploadMaxFiles: $uploadMaxFiles,
securityOpenRedirect: $securityOpenRedirect,
securityIframe: $securityIframe,
securityReferrerPolicy: $securityReferrerPolicy,
securityTrustProxy: $securityTrustProxy,
@@ -210,6 +222,7 @@ export default {
variables: {
uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)),
uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)),
securityOpenRedirect: _.get(this.config, 'securityOpenRedirect', false),
securityIframe: _.get(this.config, 'securityIframe', false),
securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
@@ -241,6 +254,7 @@ export default {
config {
uploadMaxFileSize
uploadMaxFiles
securityOpenRedirect
securityIframe
securityReferrerPolicy
securityTrustProxy