fix(security): remove XSS vulnerability in returnUrl query param

The `returnUrl` query parameter can be used to execute malicious code. For example, visiting `http://localhost:9876/?return_url=javascript:alert(document.domain)` will display an alert.
karma-runner · Feb 1, 2022 · 839578c · 839578c
1 parent db53785
commit 839578c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/client/karma.js b/client/karma.js
@@ -239,6 +239,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }

diff --git a/static/karma.js b/static/karma.js
@@ -249,6 +249,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }