fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)
* Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
This commit is contained in:
parent
4b93e04261
commit
20e6bc1a70
@ -20,6 +20,15 @@
|
|||||||
v-card-info(color='red')
|
v-card-info(color='red')
|
||||||
span Make sure to understand the implications before turning on / off a security feature.
|
span Make sure to understand the implications before turning on / off a security feature.
|
||||||
v-card-text
|
v-card-text
|
||||||
|
v-switch.mt-3(
|
||||||
|
inset
|
||||||
|
label='Block Open Redirect'
|
||||||
|
color='red darken-2'
|
||||||
|
v-model='config.securityOpenRedirect'
|
||||||
|
persistent-hint
|
||||||
|
hint='Prevents user controlled URLs from directing to websites outside of your wiki. This provides Open Redirect protection.'
|
||||||
|
)
|
||||||
|
|
||||||
v-switch.mt-3(
|
v-switch.mt-3(
|
||||||
inset
|
inset
|
||||||
label='Block IFrame Embedding'
|
label='Block IFrame Embedding'
|
||||||
@ -145,6 +154,7 @@ export default {
|
|||||||
config: {
|
config: {
|
||||||
uploadMaxFileSize: 0,
|
uploadMaxFileSize: 0,
|
||||||
uploadMaxFiles: 0,
|
uploadMaxFiles: 0,
|
||||||
|
securityOpenRedirect: true,
|
||||||
securityIframe: true,
|
securityIframe: true,
|
||||||
securityReferrerPolicy: true,
|
securityReferrerPolicy: true,
|
||||||
securityTrustProxy: true,
|
securityTrustProxy: true,
|
||||||
@ -175,6 +185,7 @@ export default {
|
|||||||
mutation (
|
mutation (
|
||||||
$uploadMaxFileSize: Int
|
$uploadMaxFileSize: Int
|
||||||
$uploadMaxFiles: Int
|
$uploadMaxFiles: Int
|
||||||
|
$securityOpenRedirect: Boolean
|
||||||
$securityIframe: Boolean
|
$securityIframe: Boolean
|
||||||
$securityReferrerPolicy: Boolean
|
$securityReferrerPolicy: Boolean
|
||||||
$securityTrustProxy: Boolean
|
$securityTrustProxy: Boolean
|
||||||
@ -188,6 +199,7 @@ export default {
|
|||||||
updateConfig(
|
updateConfig(
|
||||||
uploadMaxFileSize: $uploadMaxFileSize,
|
uploadMaxFileSize: $uploadMaxFileSize,
|
||||||
uploadMaxFiles: $uploadMaxFiles,
|
uploadMaxFiles: $uploadMaxFiles,
|
||||||
|
securityOpenRedirect: $securityOpenRedirect,
|
||||||
securityIframe: $securityIframe,
|
securityIframe: $securityIframe,
|
||||||
securityReferrerPolicy: $securityReferrerPolicy,
|
securityReferrerPolicy: $securityReferrerPolicy,
|
||||||
securityTrustProxy: $securityTrustProxy,
|
securityTrustProxy: $securityTrustProxy,
|
||||||
@ -210,6 +222,7 @@ export default {
|
|||||||
variables: {
|
variables: {
|
||||||
uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)),
|
uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)),
|
||||||
uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)),
|
uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)),
|
||||||
|
securityOpenRedirect: _.get(this.config, 'securityOpenRedirect', false),
|
||||||
securityIframe: _.get(this.config, 'securityIframe', false),
|
securityIframe: _.get(this.config, 'securityIframe', false),
|
||||||
securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
|
securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
|
||||||
securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
|
securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
|
||||||
@ -241,6 +254,7 @@ export default {
|
|||||||
config {
|
config {
|
||||||
uploadMaxFileSize
|
uploadMaxFileSize
|
||||||
uploadMaxFiles
|
uploadMaxFiles
|
||||||
|
securityOpenRedirect
|
||||||
securityIframe
|
securityIframe
|
||||||
securityReferrerPolicy
|
securityReferrerPolicy
|
||||||
securityTrustProxy
|
securityTrustProxy
|
||||||
|
@ -54,6 +54,7 @@ defaults:
|
|||||||
iconset: 'md'
|
iconset: 'md'
|
||||||
darkMode: false
|
darkMode: false
|
||||||
security:
|
security:
|
||||||
|
securityOpenRedirect: true
|
||||||
securityIframe: true
|
securityIframe: true
|
||||||
securityReferrerPolicy: true
|
securityReferrerPolicy: true
|
||||||
securityTrustProxy: true
|
securityTrustProxy: true
|
||||||
|
@ -67,6 +67,7 @@ module.exports = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
WIKI.config.security = {
|
WIKI.config.security = {
|
||||||
|
securityOpenRedirect: _.get(args, 'securityOpenRedirect', WIKI.config.security.securityOpenRedirect),
|
||||||
securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe),
|
securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe),
|
||||||
securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy),
|
securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy),
|
||||||
securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy),
|
securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy),
|
||||||
|
@ -36,6 +36,7 @@ type SiteMutation {
|
|||||||
featurePageRatings: Boolean
|
featurePageRatings: Boolean
|
||||||
featurePageComments: Boolean
|
featurePageComments: Boolean
|
||||||
featurePersonalWikis: Boolean
|
featurePersonalWikis: Boolean
|
||||||
|
securityOpenRedirect: Boolean
|
||||||
securityIframe: Boolean
|
securityIframe: Boolean
|
||||||
securityReferrerPolicy: Boolean
|
securityReferrerPolicy: Boolean
|
||||||
securityTrustProxy: Boolean
|
securityTrustProxy: Boolean
|
||||||
@ -67,6 +68,7 @@ type SiteConfig {
|
|||||||
featurePageRatings: Boolean!
|
featurePageRatings: Boolean!
|
||||||
featurePageComments: Boolean!
|
featurePageComments: Boolean!
|
||||||
featurePersonalWikis: Boolean!
|
featurePersonalWikis: Boolean!
|
||||||
|
securityOpenRedirect: Boolean!
|
||||||
securityIframe: Boolean!
|
securityIframe: Boolean!
|
||||||
securityReferrerPolicy: Boolean!
|
securityReferrerPolicy: Boolean!
|
||||||
securityTrustProxy: Boolean!
|
securityTrustProxy: Boolean!
|
||||||
|
@ -13,7 +13,7 @@ module.exports = function (req, res, next) {
|
|||||||
req.app.disable('x-powered-by')
|
req.app.disable('x-powered-by')
|
||||||
|
|
||||||
// -> Disable Frame Embedding
|
// -> Disable Frame Embedding
|
||||||
if (WIKI.config.securityIframe) {
|
if (WIKI.config.security.securityIframe) {
|
||||||
res.set('X-Frame-Options', 'deny')
|
res.set('X-Frame-Options', 'deny')
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -27,14 +27,20 @@ module.exports = function (req, res, next) {
|
|||||||
res.set('X-UA-Compatible', 'IE=edge')
|
res.set('X-UA-Compatible', 'IE=edge')
|
||||||
|
|
||||||
// -> Disables referrer header when navigating to a different origin
|
// -> Disables referrer header when navigating to a different origin
|
||||||
if (WIKI.config.securityReferrerPolicy) {
|
if (WIKI.config.security.securityReferrerPolicy) {
|
||||||
res.set('Referrer-Policy', 'same-origin')
|
res.set('Referrer-Policy', 'same-origin')
|
||||||
}
|
}
|
||||||
|
|
||||||
// -> Enforce HSTS
|
// -> Enforce HSTS
|
||||||
if (WIKI.config.securityHSTS) {
|
if (WIKI.config.security.securityHSTS) {
|
||||||
res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
|
res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// -> Prevent Open Redirect from user provided URL
|
||||||
|
if (WIKI.config.security.securityOpenRedirect) {
|
||||||
|
// Strips out all repeating / character in the provided URL
|
||||||
|
req.url = req.url.replace(/(\/)(?=\/*\1)/g, "")
|
||||||
|
}
|
||||||
|
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user