line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Mojolicious::Plugin::ClosedRedirect; |
2
|
6
|
|
|
6
|
|
73534
|
use Mojo::Base 'Mojolicious::Plugin'; |
|
6
|
|
|
|
|
190543
|
|
|
6
|
|
|
|
|
46
|
|
3
|
6
|
|
|
6
|
|
2558
|
use Mojo::ByteStream 'b'; |
|
6
|
|
|
|
|
3723
|
|
|
6
|
|
|
|
|
375
|
|
4
|
6
|
|
|
6
|
|
38
|
use Mojo::Util qw/secure_compare url_unescape quote/; |
|
6
|
|
|
|
|
14
|
|
|
6
|
|
|
|
|
6984
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
our $VERSION = '0.15'; |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
# TODO: Support domain whitelisting, like |
9
|
|
|
|
|
|
|
# https://github.com/sdsdkkk/safe_redirect |
10
|
|
|
|
|
|
|
# TODO: Accept same origin URLs. |
11
|
|
|
|
|
|
|
# TODO: Probably enforce full URLs to handle things like: |
12
|
|
|
|
|
|
|
# https://www.redmine.org/issues/19577 |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
# Register plugin |
15
|
|
|
|
|
|
|
sub register { |
16
|
7
|
|
|
7
|
1
|
13379
|
my ($plugin, $app, $param) = @_; |
17
|
|
|
|
|
|
|
|
18
|
7
|
|
50
|
|
|
31
|
$param ||= {}; |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
# Load parameter from Config file |
21
|
7
|
50
|
|
|
|
60
|
if (my $config_param = $app->config('ClosedRedirect')) { |
22
|
0
|
|
|
|
|
0
|
$param = { %$param, %$config_param }; |
23
|
|
|
|
|
|
|
}; |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
# Set secrets |
26
|
7
|
|
|
|
|
129
|
my $secrets; |
27
|
7
|
100
|
66
|
|
|
48
|
if ($param->{secrets} && ref $param->{secrets} eq 'ARRAY') { |
28
|
2
|
|
|
|
|
9
|
$plugin->secrets($param->{secrets}); |
29
|
2
|
|
|
|
|
5
|
$secrets = $param->{secrets}; |
30
|
|
|
|
|
|
|
} |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
# Get secrets from application |
33
|
|
|
|
|
|
|
else { |
34
|
5
|
|
|
|
|
21
|
$secrets = $app->secrets; |
35
|
|
|
|
|
|
|
}; |
36
|
|
|
|
|
|
|
|
37
|
7
|
|
|
|
|
55
|
my ($log, $plugins) = ($app->log, $app->plugins); |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
# Establish 'close_redirect_to' helper |
40
|
|
|
|
|
|
|
$app->helper( |
41
|
|
|
|
|
|
|
close_redirect_to => sub { |
42
|
15
|
|
|
15
|
|
39631
|
my $c = shift; |
43
|
|
|
|
|
|
|
|
44
|
15
|
|
|
|
|
62
|
my $url = $c->url_for(@_); |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
# Delete possible 'crto' parameter |
47
|
15
|
|
|
|
|
4215
|
$url->query->remove('crto'); |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
# Canonicalize |
50
|
15
|
|
|
|
|
925
|
$url->path->canonicalize; |
51
|
|
|
|
|
|
|
|
52
|
|
|
|
|
|
|
# Get the first plugin secret or the first application secret |
53
|
15
|
|
|
|
|
702
|
my $secret = $secrets->[0]; |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
# Calculate check |
56
|
15
|
|
|
|
|
61
|
my $url_check = |
57
|
|
|
|
|
|
|
b($url->to_string) |
58
|
|
|
|
|
|
|
->url_unescape |
59
|
|
|
|
|
|
|
->hmac_sha1_sum($secret); |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
# Append check parameter to url |
62
|
15
|
|
|
|
|
5555
|
$url->query({ crto => $url_check }); |
63
|
15
|
|
|
|
|
1213
|
return $url->to_string; |
64
|
|
|
|
|
|
|
} |
65
|
7
|
|
|
|
|
1105
|
); |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
# Redirect to relative URL |
68
|
|
|
|
|
|
|
$app->helper( |
69
|
|
|
|
|
|
|
relative_redirect_to => sub { |
70
|
1
|
|
|
1
|
|
58
|
my $c = shift; |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
# Get the base path of the request URL |
73
|
1
|
|
|
|
|
7
|
my $path = $c->req->url->base->path->canonicalize; |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
# Get URL |
76
|
1
|
|
|
|
|
98
|
my $redirect = $c->url_for(@_); |
77
|
|
|
|
|
|
|
|
78
|
|
|
|
|
|
|
# In case path is set, remove path prefix |
79
|
1
|
50
|
|
|
|
260
|
if ($path) { |
80
|
1
|
|
|
|
|
8
|
my $redirect_parts = $redirect->path->parts; |
81
|
1
|
|
|
|
|
15
|
foreach (@{$path->parts}) { |
|
1
|
|
|
|
|
3
|
|
82
|
2
|
50
|
33
|
|
|
18
|
if ($redirect_parts->[0] && ($_ eq $redirect_parts->[0])) { |
83
|
2
|
|
|
|
|
6
|
shift @$redirect_parts; |
84
|
|
|
|
|
|
|
}; |
85
|
|
|
|
|
|
|
}; |
86
|
|
|
|
|
|
|
}; |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
# Don't override 3xx status |
89
|
1
|
|
|
|
|
5
|
my $res = $c->res; |
90
|
1
|
|
|
|
|
14
|
$res->headers->location($redirect); |
91
|
1
|
50
|
|
|
|
22
|
return $c->rendered($res->is_redirect ? () : 302); |
92
|
|
|
|
|
|
|
} |
93
|
7
|
|
|
|
|
971
|
); |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
# Add validation check |
96
|
|
|
|
|
|
|
# Alternatively make this a filter instead |
97
|
|
|
|
|
|
|
$app->validator->add_check( |
98
|
|
|
|
|
|
|
closed_redirect => sub { |
99
|
27
|
|
|
27
|
|
313069
|
my ($v, $name, $return_url, $method) = @_; |
100
|
27
|
|
100
|
|
|
124
|
$method //= ''; |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
# No URL given |
103
|
|
|
|
|
|
|
# This is not judged as an Open Redirect attack |
104
|
27
|
50
|
|
|
|
74
|
return 'Redirect is missing' unless $return_url; |
105
|
|
|
|
|
|
|
|
106
|
27
|
|
|
|
|
92
|
my ($err, $url); |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
# No array allowed |
109
|
27
|
100
|
|
|
|
71
|
if (ref $v->output->{$name} eq 'ARRAY') { |
110
|
1
|
|
|
|
|
7
|
$err = 'Redirect is defined multiple times'; |
111
|
|
|
|
|
|
|
} |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
# Parameter is fine |
114
|
|
|
|
|
|
|
else { |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
# Check for local paths |
117
|
26
|
100
|
|
|
|
203
|
if ($method ne 'signed') { |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
# That's fine |
120
|
10
|
100
|
|
|
|
35
|
if (_local_path($return_url)) { |
121
|
|
|
|
|
|
|
# Get url |
122
|
6
|
|
|
|
|
33
|
$url = Mojo::URL->new($return_url); |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
# Remove parameter if existent |
125
|
6
|
|
|
|
|
408
|
$url->query->remove('crto'); |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
# Rewrite parameter |
128
|
6
|
|
|
|
|
384
|
$v->output->{$name} = $url->to_string; |
129
|
|
|
|
|
|
|
|
130
|
6
|
|
|
|
|
1181
|
return; |
131
|
|
|
|
|
|
|
}; |
132
|
|
|
|
|
|
|
}; |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
# Get url |
135
|
20
|
|
|
|
|
79
|
$url = Mojo::URL->new($return_url); |
136
|
|
|
|
|
|
|
|
137
|
|
|
|
|
|
|
# local_path not valid |
138
|
|
|
|
|
|
|
# Support signing |
139
|
20
|
100
|
|
|
|
2464
|
unless ($method eq 'local') { |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
# Get 'crto' parameter |
142
|
18
|
|
|
|
|
75
|
my $check = $url->query->param('crto'); |
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
# No check parameter available |
145
|
18
|
100
|
|
|
|
1906
|
if ($check) { |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
# Remove parameter |
148
|
15
|
|
|
|
|
64
|
$url->query->remove('crto'); |
149
|
|
|
|
|
|
|
|
150
|
15
|
|
|
|
|
355
|
my $url_check; |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
# Check all secrets |
153
|
15
|
|
|
|
|
45
|
foreach (@$secrets) { |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
# Calculate check |
156
|
17
|
|
|
|
|
380
|
$url_check = |
157
|
|
|
|
|
|
|
b($url->to_string)-> |
158
|
|
|
|
|
|
|
url_unescape-> |
159
|
|
|
|
|
|
|
hmac_sha1_sum($_); |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
# Check if signed url is valid |
162
|
17
|
100
|
|
|
|
3376
|
if (secure_compare($url_check, $check)) { |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
# TODO: Remove authorization stuff! |
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
# Rewrite parameter |
167
|
11
|
|
|
|
|
1764
|
$v->output->{$name} = $url->to_string; |
168
|
11
|
|
|
|
|
1810
|
return; |
169
|
|
|
|
|
|
|
}; |
170
|
|
|
|
|
|
|
}; |
171
|
|
|
|
|
|
|
}; |
172
|
|
|
|
|
|
|
}; |
173
|
|
|
|
|
|
|
}; |
174
|
|
|
|
|
|
|
|
175
|
10
|
|
100
|
|
|
264
|
$err //= 'Redirect is invalid'; |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
# Emit hook |
178
|
10
|
|
|
|
|
63
|
$plugins->emit_hook( |
179
|
|
|
|
|
|
|
on_open_redirect_attack => ( $name, $return_url, $err ) |
180
|
|
|
|
|
|
|
); |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
# Warn in log |
183
|
|
|
|
|
|
|
# Prevents log-injection attack |
184
|
10
|
|
|
|
|
266
|
$log->warn( |
185
|
|
|
|
|
|
|
"Open Redirect Attack - $err: URL for " . |
186
|
|
|
|
|
|
|
quote($name) . ' is ' . quote($return_url) |
187
|
|
|
|
|
|
|
); |
188
|
|
|
|
|
|
|
|
189
|
10
|
|
|
|
|
285
|
return $err; |
190
|
|
|
|
|
|
|
} |
191
|
7
|
|
|
|
|
554
|
); |
192
|
|
|
|
|
|
|
}; |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
# secrets attribute |
196
|
|
|
|
|
|
|
sub secrets { |
197
|
2
|
|
|
2
|
1
|
5
|
my $self = shift; |
198
|
2
|
50
|
|
|
|
7
|
if (@_ > 0) { |
199
|
2
|
|
|
|
|
9
|
$self->{secrets} = shift; |
200
|
|
|
|
|
|
|
}; |
201
|
2
|
|
50
|
|
|
8
|
return $self->{secrets} // []; |
202
|
|
|
|
|
|
|
}; |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
# Check for local Path |
206
|
|
|
|
|
|
|
# Based on http://www.asp.net/mvc/overview/security/preventing-open-redirection-attacks |
207
|
|
|
|
|
|
|
sub _local_path { |
208
|
31
|
|
|
31
|
|
187
|
my $url = url_unescape $_[0]; |
209
|
31
|
100
|
|
|
|
456
|
return 1 if $url =~ m!^(?:/(?:[^\/\\]|$)|~\/.)!; |
210
|
22
|
|
|
|
|
89
|
return; |
211
|
|
|
|
|
|
|
}; |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
|
214
|
|
|
|
|
|
|
1; |
215
|
|
|
|
|
|
|
|
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
__END__ |