fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)

* Open redirect vulnerabilty mitigation

* Refacted Open Redirect to user configurable and corrected incorrect security variable names.

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>

server/middlewares/security.js

@@ -13,7 +13,7 @@ module.exports = function (req, res, next) {
   req.app.disable('x-powered-by')
 
   // -> Disable Frame Embedding
-  if (WIKI.config.securityIframe) {
+  if (WIKI.config.security.securityIframe) {
     res.set('X-Frame-Options', 'deny')
   }
 
@@ -27,14 +27,20 @@ module.exports = function (req, res, next) {
   res.set('X-UA-Compatible', 'IE=edge')
 
   // -> Disables referrer header when navigating to a different origin
-  if (WIKI.config.securityReferrerPolicy) {
+  if (WIKI.config.security.securityReferrerPolicy) {
     res.set('Referrer-Policy', 'same-origin')
   }
 
   // -> Enforce HSTS
-  if (WIKI.config.securityHSTS) {
+  if (WIKI.config.security.securityHSTS) {
     res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
   }
 
+  // -> Prevent Open Redirect from user provided URL
+  if (WIKI.config.security.securityOpenRedirect) {
+    // Strips out all repeating / character in the provided URL
+    req.url = req.url.replace(/(\/)(?=\/*\1)/g, "")
+  }
+
   return next()
 }