From 1e184e8e218676278c83e60a45846c199ce3d15e Mon Sep 17 00:00:00 2001
From: kyle <shockey@users.noreply.github.com>
Date: Sat, 23 Feb 2019 14:14:30 -0800
Subject: [PATCH] fix: sanitize URLs used for OAuth auth flow (via #5190)

* fix: sanitize URLs used for OAuth auth flow

* embetter test case

* fix linter issue
---
 src/core/oauth2-authorize.js                  |  7 +++---
 .../static/documents/xss/oauth2.yaml          |  5 ++++
 test/e2e-cypress/tests/features/xss/oauth2.js | 23 +++++++++++++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 test/e2e-cypress/static/documents/xss/oauth2.yaml
 create mode 100644 test/e2e-cypress/tests/features/xss/oauth2.js

diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js
index 0de353d2..f819e293 100644
--- a/src/core/oauth2-authorize.js
+++ b/src/core/oauth2-authorize.js
@@ -1,5 +1,5 @@
 import win from "core/window"
-import { btoa } from "core/utils"
+import { btoa, sanitizeUrl } from "core/utils"
 
 export default function authorize ( { auth, authActions, errActions, configs, authConfigs={} } ) {
   let { schema, scopes, name, clientId } = auth
@@ -74,8 +74,9 @@ export default function authorize ( { auth, authActions, errActions, configs, au
     }
   }
 
-  let authorizationUrl = schema.get("authorizationUrl")
-  let url = [authorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&")
+  const authorizationUrl = schema.get("authorizationUrl")
+  const sanitizedAuthorizationUrl = sanitizeUrl(authorizationUrl)
+  let url = [sanitizedAuthorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&")
 
   // pass action authorizeOauth2 and authentication data through window
   // to authorize with oauth2
diff --git a/test/e2e-cypress/static/documents/xss/oauth2.yaml b/test/e2e-cypress/static/documents/xss/oauth2.yaml
new file mode 100644
index 00000000..4ff4cc79
--- /dev/null
+++ b/test/e2e-cypress/static/documents/xss/oauth2.yaml
@@ -0,0 +1,5 @@
+swagger: '2.0'
+securityDefinitions:
+  a:
+    type: oauth2
+    authorizationUrl: javascript:alert(document.domain)//
diff --git a/test/e2e-cypress/tests/features/xss/oauth2.js b/test/e2e-cypress/tests/features/xss/oauth2.js
new file mode 100644
index 00000000..3d7b727a
--- /dev/null
+++ b/test/e2e-cypress/tests/features/xss/oauth2.js
@@ -0,0 +1,23 @@
+describe("XSS: OAuth2 authorizationUrl sanitization", () => {
+  it("should filter out a javascript URL", () => {
+    cy.visit("/?url=/documents/xss/oauth2.yaml")
+      .window()
+      .then(win => {
+        let args = null
+        const stub = cy.stub(win, "open", (...callArgs) => {
+          args = callArgs
+        }).as("windowOpen")
+
+        cy.get(".authorize")
+          .click()
+          .get(".modal-btn.authorize")
+          .click()
+          .wait(100)
+          .then(() => {
+            console.log(args)
+            expect(args[0]).to.match(/^about:blank/) 
+          })
+
+      })
+  })
+})