fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)

* Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
2020-05-29 18:24:20 -04:00
parent 4b93e04261
commit 20e6bc1a70
5 changed files with 27 additions and 3 deletions
--- a/server/graph/resolvers/site.js
+++ b/server/graph/resolvers/site.js
@@ -67,6 +67,7 @@ module.exports = {
        }

        WIKI.config.security = {
+          securityOpenRedirect: _.get(args, 'securityOpenRedirect', WIKI.config.security.securityOpenRedirect),
          securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe),
          securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy),
          securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy),
--- a/server/graph/schemas/site.graphql
+++ b/server/graph/schemas/site.graphql
@@ -36,6 +36,7 @@ type SiteMutation {
    featurePageRatings: Boolean
    featurePageComments: Boolean
    featurePersonalWikis: Boolean
+    securityOpenRedirect: Boolean
    securityIframe: Boolean
    securityReferrerPolicy: Boolean
    securityTrustProxy: Boolean
@@ -67,6 +68,7 @@ type SiteConfig {
  featurePageRatings: Boolean!
  featurePageComments: Boolean!
  featurePersonalWikis: Boolean!
+  securityOpenRedirect: Boolean!
  securityIframe: Boolean!
  securityReferrerPolicy: Boolean!
  securityTrustProxy: Boolean!