Merge pull request #1612 from Shopify/xss-issue-koa-auth

EncodeURI origin app-bridge
Shopify · Aug 26, 2020 · a05457d · a05457d
2 parents 56818ad + 11dccc9
commit a05457d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/packages/koa-shopify-auth/CHANGELOG.md b/packages/koa-shopify-auth/CHANGELOG.md
@@ -5,7 +5,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-<!-- ## [Unreleased] -->
+## [Unreleased]
+
+- URI encode `config` on redirection page [1612](https://github.com/Shopify/quilt/pull/1612)
 
 ## [3.1.65] - 2020-07-06
 

diff --git a/packages/koa-shopify-auth/src/auth/redirection-page.ts b/packages/koa-shopify-auth/src/auth/redirection-page.ts
@@ -12,7 +12,7 @@ export default function redirectionScript({origin, redirectTo, apiKey}) {
           var Redirect = AppBridge.actions.Redirect;
           var app = createApp({
             apiKey: '${apiKey}',
-            shopOrigin: '${origin}',
+            shopOrigin: "${encodeURI(origin)}",
           });
           var redirect = Redirect.create(app);
           redirect.dispatch(Redirect.Action.REMOTE, '${redirectTo}');

diff --git a/packages/koa-shopify-auth/src/auth/test/redirection-page.test.ts b/packages/koa-shopify-auth/src/auth/test/redirection-page.test.ts
@@ -0,0 +1,15 @@
+import redirectionScript from '../redirection-page';
+
+const origin = 'https://shopify.com/?x=шеллы';
+const redirectTo = 'shop1.myshopify.io';
+const apiKey = 'fakekey';
+
+describe('redirectionScript', () => {
+  it('returns a script tag with formatted data', () => {
+    const script = redirectionScript({origin, redirectTo, apiKey});
+
+    expect(script).toContain(
+      'shopOrigin: "https://shopify.com/?x=%D1%88%D0%B5%D0%BB%D0%BB%D1%8B"',
+    );
+  });
+});