Prevent open redirect when checking SSO

jonkoops · jviding · stianst · commit 15ef5df4de8a · 2023-03-01T19:30:19.000+01:00
Co-authored-by: Jasu Viding &lt;jasu.viding@gmail.com&gt;
diff --git a/middleware/check-sso.js b/middleware/check-sso.js
@@ -61,7 +61,8 @@ module.exports = function (keycloak) {
       delete urlParts.query.auth_callback
       delete urlParts.query.state
 
-      const cleanUrl = URL.format(urlParts)
+      // Collapse leading slashes to a single slash to prevent open redirects
+      const cleanUrl = URL.format(urlParts).replace(/^\/+/, '/')
 
       //  Check SSO process is completed
       request.session.auth_is_check_sso_complete = true
