Fix pentest issue 11: Unavalidated Redirects and Forwards

compdemocracy · Nov 18, 2023 · 6b00053 · 6b00053
1 parent 550ecba
commit 6b00053
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/server/src/server.ts b/server/src/server.ts
@@ -1262,8 +1262,9 @@ function initializePolisHelpers() {
     });
 
     // using hex since it doesn't require escaping like base64.
-    let dest = hexToStr(req.p.dest);
-    res.redirect(dest);
+    const dest = hexToStr(req.p.dest);
+    const url = new URL(dest);
+    res.redirect(url.pathname + url.search + url.hash);
   }
 
   function handle_GET_tryCookie(