m/metamask-extension
1
0
Fork 0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-23 09:52:26 +01:00
Code

phishing-detect - validate redirect url protocol

Browse Source
This commit is contained in:
kumavis 2022-05-02 11:23:20 -10:00 committed by Mark Stacey
parent 16bcd0c0eb
commit c1ca70d732
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/scripts/phishing-detect.js
View File

@ -35,6 +35,16 @@ function start() {
params: [suspect.hostname], params: [suspect.hostname],
id: createRandomId(), id: createRandomId(),
}); });
window.location.href = suspect.href; const redirectTarget = new URL(suspect.href, window.location.href);
// validate redirect url
const invalidProtocol = !(['https:', 'http:'].includes(redirectTarget.protocol));
// if in valid, show warning and abort
if (invalidProtocol) {
// we intentionally dont display to the user any potential attacker-written content here
console.error(`Invalid redirect url.`);
return;
};
// use the validated url instance
window.location.href = redirectTarget.href;
}); });
} }