Skip to content

Commit

Permalink
59 CVE 601 open redirect (#63)
Browse files Browse the repository at this point in the history 
Signed-off-by: Carl Handy <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
  • Loading branch information
@carlHandy @github-advanced-security
carlHandy and github-advanced-security[bot] authored Sep 27, 2024
1 parent 052e64b commit 2447919
Show file tree
Hide file tree
Showing 6 changed files with 167 additions and 2 deletions.
7 changes: 7 additions & 0 deletions .envrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# shellcheck: bash
strict_env
direnv_version "2.32.3" || exit 1
dotenv_if_exists ".env"
source_env_if_exists .myenvrc
# devbox's direnv script is not `strict_env` safe
unstrict_env eval "$(devbox generate direnv --print-envrc)"
17 changes: 17 additions & 0 deletions devbox.d/php/php-fpm.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[global]
pid = ${PHPFPM_PID_FILE}
error_log = ${PHPFPM_ERROR_LOG_FILE}
daemonize = yes

[www]
; user = www-data
; group = www-data
listen = 127.0.0.1:${PHPFPM_PORT}
; listen.owner = www-data
; listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
6 changes: 6 additions & 0 deletions devbox.d/php/php.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[php]

; Put your php.ini directives here. For the latest default php.ini file, see https://github.com/php/php-src/blob/master/php.ini-production

; memory_limit = 128M
; expose_php = Off
18 changes: 18 additions & 0 deletions devbox.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.12.0/.schema/devbox.schema.json",
"packages": [
"php@latest",
"php83Packages.composer@latest"
],
"shell": {
"init_hook": [
"echo 'Welcome to devbox!' > /dev/null"
],
"scripts": {
"test": [
"echo \"Error: no test specified\" && exit 1"
]
}
}
}

102 changes: 102 additions & 0 deletions devbox.lock
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
{
"lockfile_version": "1",
"packages": {
"php83Packages.composer@latest": {
"last_modified": "2024-09-10T15:01:03Z",
"resolved": "github:NixOS/nixpkgs/5ed627539ac84809c78b2dd6d26a5cebeb5ae269#php83Packages.composer",
"source": "devbox-search",
"version": "2.7.9",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/8bbh5pdbdzq6vp5h5w8ixzplsx2hnymv-composer-2.7.9",
"default": true
}
],
"store_path": "/nix/store/8bbh5pdbdzq6vp5h5w8ixzplsx2hnymv-composer-2.7.9"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/xxgasspa2jvxq9knrp8k4p154yidqjhv-composer-2.7.9",
"default": true
}
],
"store_path": "/nix/store/xxgasspa2jvxq9knrp8k4p154yidqjhv-composer-2.7.9"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/656grsckzkwk72z0g9d4knwq0cdc2f0z-composer-2.7.9",
"default": true
}
],
"store_path": "/nix/store/656grsckzkwk72z0g9d4knwq0cdc2f0z-composer-2.7.9"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/ikm0vm76yk5q6iqd4763628vv51s280l-composer-2.7.9",
"default": true
}
],
"store_path": "/nix/store/ikm0vm76yk5q6iqd4763628vv51s280l-composer-2.7.9"
}
}
},
"php@latest": {
"last_modified": "2024-09-10T15:01:03Z",
"plugin_version": "0.0.3",
"resolved": "github:NixOS/nixpkgs/5ed627539ac84809c78b2dd6d26a5cebeb5ae269#php83",
"source": "devbox-search",
"version": "8.3.11",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/0njs510s207yhfg3a8ans9cmfwca0fwl-php-with-extensions-8.3.11",
"default": true
}
],
"store_path": "/nix/store/0njs510s207yhfg3a8ans9cmfwca0fwl-php-with-extensions-8.3.11"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/gk2lzzh45d8cvzgs780jjfjwx3g2k9pg-php-with-extensions-8.3.11",
"default": true
}
],
"store_path": "/nix/store/gk2lzzh45d8cvzgs780jjfjwx3g2k9pg-php-with-extensions-8.3.11"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/md7k6rhnvm7pz8dkppy4f17mydx064cj-php-with-extensions-8.3.11",
"default": true
}
],
"store_path": "/nix/store/md7k6rhnvm7pz8dkppy4f17mydx064cj-php-with-extensions-8.3.11"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/0r8w4n0xh1wkvc14n4gl0mshy1y3sri1-php-with-extensions-8.3.11",
"default": true
}
],
"store_path": "/nix/store/0r8w4n0xh1wkvc14n4gl0mshy1y3sri1-php-with-extensions-8.3.11"
}
}
}
}
}
19 changes: 17 additions & 2 deletions js/mmg-checkout.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@ jQuery(document).ready(function($) {
data: postData,
success: function(response) {
if (response.success && response.data.checkout_url) {
window.location.href = response.data.checkout_url;
if (isValidUrl(response.data.checkout_url)) {
window.location.href = response.data.checkout_url;
} else {
alert('Invalid checkout URL received.');
$button.prop('disabled', false).text('Pay with MMG');
}
} else {
alert('Error generating checkout URL: ' + (response.data.error || 'Unknown error'));
$button.prop('disabled', false).text('Pay with MMG');
Expand All @@ -30,4 +35,14 @@ jQuery(document).ready(function($) {
}
});
});
});
});

function isValidUrl(url) {
try {
const parsedUrl = new URL(url);
const allowedHosts = ['qpass.com'];
return ['https:', 'http:'].includes(parsedUrl.protocol) && allowedHosts.includes(parsedUrl.hostname);
} catch (e) {
return false;
}
}

0 comments on commit 2447919

Please sign in to comment.