From eebbf8f50b3304be9a5c5fb6fcdabb070c96a887 Mon Sep 17 00:00:00 2001
From: alokhyland <Alok.Ranjan@Hyland.com>
Date: Fri, 24 May 2024 14:11:31 +0530
Subject: [PATCH] WEBUI-1511: Own Code Static Scan : Open Redirect

---
 elements/routing.js                           | 25 +++++++++++++++++--
 .../resources/OSGI-INF/web-ui-properties.xml  |  7 ++++--
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/elements/routing.js b/elements/routing.js
index 3499e5c2eb..8fd087b3f6 100644
--- a/elements/routing.js
+++ b/elements/routing.js
@@ -27,6 +27,23 @@ function scrollToTop(ctx, next) {
   next();
 }
 
+function getTrustedDomains(path) {
+  const trustedDomains = Nuxeo && Nuxeo.UI && Nuxeo.UI.config && Nuxeo.UI.config.trustedDomains;
+  const pathUrl = new URL(path);
+  const { hostname } = pathUrl;
+  const queryParams = pathUrl.search.split('?')[1];
+  const encodepath = queryParams ? `${pathUrl.origin}?${encodeURIComponent(queryParams)}` : path;
+  if (!trustedDomains) return { encodepath, isvalidUrl: true };
+  const trustedDomainList = trustedDomains.split(',');
+  const isvalidUrl = trustedDomainList.some((url) => {
+    const isFullpath = /^http(s)?:\/\//.test(url);
+    const parsedURL = isFullpath ? url : `https://${url}`;
+    const { hostname: currentUrlhost } = new URL(parsedURL);
+    return currentUrlhost.toLowerCase() === hostname.toLowerCase();
+  });
+  return { encodepath, isvalidUrl };
+}
+
 function _routeAdmin(selectedAdminTab, errorPath, routeData) {
   const hasPermission =
     app.currentUser.isAdministrator || app.currentUser.extendedGroups.find((grp) => grp.name === 'powerusers');
@@ -37,7 +54,6 @@ function _routeAdmin(selectedAdminTab, errorPath, routeData) {
     app.showError(404, '', errorPath);
   }
 }
-
 // Routes
 page('*', scrollToTop, (ctx, next) => {
   next();
@@ -197,7 +213,12 @@ app.router = {
     }
     const isFullpath = /^http(s)?:\/\//.test(path);
     if (isFullpath) {
-      window.location = path;
+      const { encodepath, isvalidUrl } = getTrustedDomains(path);
+      if (isvalidUrl) {
+        const link = document.createElement('a');
+        link.setAttribute('href', encodepath);
+        link.click();
+      }
     } else {
       page(path);
     }
diff --git a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
index 6e5b7b87b5..87fc8138fc 100644
--- a/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
+++ b/plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml
@@ -36,7 +36,6 @@
     <!-- S3 Direct upload -->
     <property name="org.nuxeo.web.ui.s3.useDirectUpload">${nuxeo.s3storage.useDirectUpload:=false}</property>
     
-    
     <!-- Redirect to final download url -->
     <property name="org.nuxeo.web.ui.url.followRedirect">${org.nuxeo.download.url.follow.redirect:=false}</property>
 
@@ -51,5 +50,9 @@
 
     <!-- Properties to be fetched when loading the user object in user management, default is empty -->
     <property name="org.nuxeo.web.ui.user.management.fetch.document" list="true"></property>
+
+    <!-- allowed url to redirect -->
+    <property name="org.nuxeo.web.ui.trustedDomains">${nuxeo.trustedDomains}</property>
+
   </extension>
-</component>
+</component>
\ No newline at end of file