From 6d1a13ae5ff79febffe2c9fb8cabe24b64c36f41 Mon Sep 17 00:00:00 2001
From: alokhyland <Alok.Ranjan@Hyland.com>
Date: Wed, 29 May 2024 17:59:41 +0530
Subject: [PATCH] WEBUI-1511: Own Code Static Scan : Open Redirect

---
 elements/routing.js                           | 33 +++++++++++++------
 .../resources/OSGI-INF/web-ui-properties.xml  |  6 ++--
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/elements/routing.js b/elements/routing.js
index f28c1e5003..eebf627ccd 100644
--- a/elements/routing.js
+++ b/elements/routing.js
@@ -27,22 +27,34 @@ function scrollToTop(ctx, next) {
   next();
 }
 
-function getTrustedDomains(path) {
+function createUrlFromString(str) {
+  const httpRegex = /^https?:\/\//;
+  const wwwRegex = /www\./;
+  str = httpRegex.test(str) ? str : `http://${str}`;
+  str = wwwRegex.test(str) ? str : str.replace(/^(https?:\/\/)?/, '$1www.');
+  return str;
+}
+
+function isTrustedDomain(path) {
   const trustedDomains = Nuxeo && Nuxeo.UI && Nuxeo.UI.config && Nuxeo.UI.config.trustedDomains;
-  const pathUrl = new URL(path);
+  if (!trustedDomains) return true;
+  const modifiedPathUrl = createUrlFromString(path);
+  const pathUrl = new URL(modifiedPathUrl);
   const { hostname } = pathUrl;
-  const queryParams = pathUrl.search.split('?')[1];
-  const encodepath = queryParams ? `${pathUrl.origin}?${encodeURIComponent(queryParams)}` : path;
-  if (!trustedDomains) return { encodepath, isvalidUrl: true };
   const trustedDomainList = trustedDomains.split(',');
   const isvalidUrl = trustedDomainList.some((url) => {
-    const isFullpath = /^http(s)?:\/\//.test(url);
-    const parsedURL = isFullpath ? url : `https://${url}`;
-    const { hostname: currentUrlhost } = new URL(parsedURL);
+    const updatedUrl = createUrlFromString(url);
+    const { hostname: currentUrlhost } = new URL(updatedUrl);
     return currentUrlhost.toLowerCase() === hostname.toLowerCase();
   });
+  return isvalidUrl;
+}
 
-  return { encodepath, isvalidUrl };
+function encodeQueryParams(path) {
+  const pathUrl = new URL(path);
+  const queryParams = pathUrl.search.split('?')[1];
+  const encodepath = queryParams ? `${pathUrl.origin}?${encodeURIComponent(queryParams)}` : path;
+  return encodepath;
 }
 
 function _routeAdmin(selectedAdminTab, errorPath, routeData) {
@@ -214,7 +226,8 @@ app.router = {
     }
     const isFullpath = /^http(s)?:\/\//.test(path);
     if (isFullpath) {
-      const { encodepath, isvalidUrl } = getTrustedDomains(path);
+      const isvalidUrl = isTrustedDomain(path);
+      const encodepath = encodeQueryParams(path);
       if (isvalidUrl) {
         const link = document.createElement('a');
         link.setAttribute('href', encodepath);
diff --git a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
index b7dfd741f3..5150ab5f23 100644
--- a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
+++ b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
@@ -52,7 +52,7 @@
     <property name="org.nuxeo.web.ui.user.management.fetch.document" list="true"></property>
 
     <!-- allowed url to redirect -->
-    <property name="org.nuxeo.web.ui.trustedDomains">${nuxeo.trustedDomains}</property>
-    
+    <property name="org.nuxeo.web.ui.trustedDomains">${nuxeo.trustedDomains:=''}</property>
+
   </extension>
-</component>
+</component>
\ No newline at end of file