Revise login redirect and implement sanitization

globaleaks · Oct 20, 2024 · 902c82c · 902c82c
1 parent fcb1c6f
commit 902c82c
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 36 deletions.
diff --git a/client/app/src/app-guard.service.ts b/client/app/src/app-guard.service.ts
@@ -3,17 +3,18 @@ import {Router, UrlTree} from "@angular/router";
 import {Observable} from "rxjs";
 import {AuthenticationService} from "@app/services/helper/authentication.service";
 import {AppDataService} from "@app/app-data.service";
+import {UtilsService} from "@app/shared/services/utils.service";
 
 @Injectable({
   providedIn: "root"
 })
 export class SessionGuard {
-  constructor(private router: Router, private appDataService: AppDataService, public authenticationService: AuthenticationService) {
+  constructor(private router: Router, private appDataService: AppDataService, public authenticationService: AuthenticationService, protected utilsService: UtilsService) {
   }
 
   canActivate(): Observable<boolean | UrlTree> | Promise<boolean | UrlTree> | boolean | UrlTree {
     if (!this.authenticationService.session) {
-      this.router.navigateByUrl("/login").then();
+      this.utilsService.routeGuardRedirect();
       return false;
     } else {
       this.appDataService.page = this.router.url;

diff --git a/client/app/src/models/authentication/session.ts b/client/app/src/models/authentication/session.ts
@@ -1,7 +1,4 @@
-import {redirectResolverModel} from "../resolvers/redirect-resolver-model";
-
 export class Session {
-  redirect: redirectResolverModel;
   id: string;
   role: string;
   encryption: boolean;
@@ -13,6 +10,7 @@ export class Session {
   two_factor: boolean;
   permissions: { can_upload_files: boolean };
   token: any;
+  redirect: string;
 }
 
 export interface Properties {

diff --git a/client/app/src/services/helper/authentication.service.ts b/client/app/src/services/helper/authentication.service.ts
@@ -1,4 +1,4 @@
-import {Injectable} from "@angular/core";
+import {Injectable, SecurityContext} from "@angular/core";
 import {LoginDataRef} from "@app/pages/auth/login/model/login-model";
 import {HttpService} from "@app/shared/services/http.service";
 import {Observable} from "rxjs";
@@ -10,6 +10,8 @@ import {TitleService} from "@app/shared/services/title.service";
 import {HttpClient, HttpErrorResponse, HttpHeaders} from "@angular/common/http";
 import {NgbModal} from "@ng-bootstrap/ng-bootstrap";
 import {OtkcAccessComponent} from "@app/shared/modals/otkc-access/otkc-access.component";
+import {DomSanitizer} from '@angular/platform-browser';
+
 
 @Injectable({
   providedIn: "root"
@@ -21,7 +23,7 @@ export class AuthenticationService {
   requireAuthCode: boolean = false;
   loginData: LoginDataRef = new LoginDataRef();
 
-  constructor(private http: HttpClient, private modalService: NgbModal,private titleService: TitleService, private activatedRoute: ActivatedRoute, private httpService: HttpService, private appDataService: AppDataService, private router: Router) {
+  constructor(private http: HttpClient, private modalService: NgbModal,private titleService: TitleService, private activatedRoute: ActivatedRoute, private httpService: HttpService, private appDataService: AppDataService, private router: Router, private sanitizer: DomSanitizer) {
     this.init();
   }
 
@@ -101,9 +103,11 @@ export class AuthenticationService {
     requestObservable.subscribe(
       {
         next: (response: Session) => {
-          this.reset()
           if (response.redirect) {
-            this.router.navigate([response.redirect]).then();
+            response.redirect = this.sanitizer.sanitize(SecurityContext.URL, response.redirect) || '';
+	    if (response.redirect) {
+              this.router.navigate([response.redirect]).then();
+	    }
           }
           this.setSession(response);
           if (response && response && response.properties && response.properties.new_receipt) {
@@ -126,36 +130,39 @@ export class AuthenticationService {
             };
             return;
           }
-          const src = this.activatedRoute.snapshot.queryParams['src'];
-          if (src) {
-            this.router.navigate([src]).then();
-            location.replace(src);
+
+          if (this.session.role === "whistleblower") {
+            if (password) {
+              this.appDataService.receipt = password;
+              this.titleService.setPage("tippage");
+            } else if (this.session.properties.operator_session) {
+              this.router.navigate(['/']);
+            }
           } else {
-            if (this.session.role === "whistleblower") {
-              if (password) {
-                this.appDataService.receipt = password;
-                this.titleService.setPage("tippage");
-              } else if (this.session.properties.operator_session) {
-                this.router.navigate(['/']);
-              }
-            } else {
-              if (!callback) {
-                let redirect = this.activatedRoute.snapshot.queryParams['redirect'] || undefined;
-                this.reset();
-                redirect = this.activatedRoute.snapshot.queryParams['redirect'] || '/';
-                const redirectURL = decodeURIComponent(redirect);
-                if (redirectURL !== "/") {
-                  this.router.navigate([redirectURL]);
-                } else {
-                  this.appDataService.updateShowLoadingPanel(true);
-                  this.router.navigate([this.session.homepage], {
-                    queryParams: this.activatedRoute.snapshot.queryParams,
-                    queryParamsHandling: "merge"
-                  }).then();
-                }
+            if (!callback) {
+              this.reset();
+
+              let redirect = this.activatedRoute.snapshot.queryParams['redirect'] || undefined;
+              redirect = this.activatedRoute.snapshot.queryParams['redirect'] || '/';
+              redirect = decodeURIComponent(redirect);
+
+	      if (redirect !== "/") {
+                redirect = this.sanitizer.sanitize(SecurityContext.URL, redirect) || '';
+
+		// Honor only local redirects
+                if (redirect.startsWith("/")) {
+                  this.router.navigate([redirect]);
+		}
+              } else {
+                this.appDataService.updateShowLoadingPanel(true);
+                this.router.navigate([this.session.homepage], {
+                  queryParams: this.activatedRoute.snapshot.queryParams,
+                  queryParamsHandling: "merge"
+                }).then();
               }
             }
           }
+
           if (callback) {
             callback();
           }

diff --git a/client/app/src/shared/guards/receiver.guard.ts b/client/app/src/shared/guards/receiver.guard.ts
@@ -16,7 +16,7 @@ export class ReceiverGuard {
     if (this.authenticationService.session) {
       if(this.authenticationService.session.role === "receiver"){
         this.appConfigService.setPage(this.router.url);
-      }else {
+      } else {
         this.router.navigateByUrl("/login").then();
       }
       return true;