Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1511

Own Code Static Scan : Open Redirect



    • Type: Bug
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.x, 3.1.x
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: Web UI


      MEDIUM - 1 Findings
      CWE 601 URL Redirection to Untrusted Site ('Open Redirect')

      Flaw Category: Insufficient Input Validation

      Description: A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.

      Remediation: Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.

      Attached screenshot for the code details in WebUI



      • URLs are sanitized before using a redirect
      • A nuxeo.conf property can be configured to setup an allowlist of domains Web UI can redirect to
        • property is called nuxeo.web.ui.trustedDomains
        • property takes a list of domains separated by commas, e.g. domain1,domain2
      • when the value is empty / not configured, all domains are considered as allowed
      • when the value is filled in, Web UI only allows to redirect to the external domains that have been configured
        • subdomains from domains in the list are allowed as well (e.g., I don't have to configure both nuxeo.com and www.nuxeo.com but only nuxeo.com to allow both)


          Issue Links



              • Votes:
                0 Vote for this issue
                6 Start watching this issue


                • Created: