diff --git a/app/src/Server.js b/app/src/Server.js
index bb924cfe..5a9466c5 100644
--- a/app/src/Server.js
+++ b/app/src/Server.js
@@ -58,7 +58,7 @@ dev dependencies: {
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.7.26
+ * @version 1.7.27
*
*/
@@ -408,7 +408,7 @@ function startServer() {
// Remove trailing slashes in url handle bad requests
app.use((err, req, res, next) => {
- if (err instanceof SyntaxError || err.status === 400 || 'body' in err) {
+ if (err && (err instanceof SyntaxError || err.status === 400 || 'body' in err)) {
log.error('Request Error', {
header: req.headers,
body: req.body,
@@ -416,12 +416,19 @@ function startServer() {
});
return res.status(400).send({ status: 404, message: err.message }); // Bad request
}
- if (req.path.substr(-1) === '/' && req.path.length > 1) {
- let query = req.url.slice(req.path.length);
- res.redirect(301, req.path.slice(0, -1) + query);
- } else {
- next();
+
+ // Prevent open redirect attacks by checking if the path is an external domain
+ const cleanPath = req.path.replace(/^\/+/, '');
+ if (/^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}/.test(cleanPath)) {
+ return res.status(400).send('Bad Request: Potential Open Redirect Detected');
}
+
+ if (req.path.endsWith('/') && req.path.length > 1) {
+ let query = req.url.substring(req.path.length).replace(/\/$/, ''); // Ensure query params don't end in '/'
+ return res.redirect(301, req.path.slice(0, -1) + query);
+ }
+
+ next();
});
// OpenID Connect - Dynamically set baseURL based on incoming host and protocol
diff --git a/package.json b/package.json
index 9f2c01d6..2d49ba98 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "mirotalksfu",
- "version": "1.7.26",
+ "version": "1.7.27",
"description": "WebRTC SFU browser-based video calls",
"main": "Server.js",
"scripts": {
@@ -58,13 +58,13 @@
},
"dependencies": {
"@mattermost/client": "10.2.0",
- "@sentry/node": "^9.0.0",
+ "@sentry/node": "^9.0.1",
"axios": "^1.7.9",
"colors": "1.4.0",
- "compression": "1.7.5",
+ "compression": "1.8.0",
"cors": "2.8.5",
"crypto-js": "4.2.0",
- "discord.js": "^14.17.3",
+ "discord.js": "^14.18.0",
"dompurify": "^3.2.4",
"express": "4.21.2",
"express-openid-connect": "^2.17.1",
diff --git a/public/js/Brand.js b/public/js/Brand.js
index 070037a4..ccf32add 100644
--- a/public/js/Brand.js
+++ b/public/js/Brand.js
@@ -64,7 +64,7 @@ let BRAND = {
},
about: {
imageUrl: '../images/mirotalk-logo.gif',
- title: 'WebRTC SFU v1.7.26',
+ title: 'WebRTC SFU v1.7.27',
html: `
diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js
index 070bf52d..6a8200c7 100644
--- a/public/js/RoomClient.js
+++ b/public/js/RoomClient.js
@@ -9,7 +9,7 @@
* @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.7.26
+ * @version 1.7.27
*
*/
diff --git a/tests/test-OpenRedirect.js b/tests/test-OpenRedirect.js
new file mode 100644
index 00000000..e1325810
--- /dev/null
+++ b/tests/test-OpenRedirect.js
@@ -0,0 +1,111 @@
+const sinon = require('sinon');
+
+describe('test-OpenRedirect', function () {
+ let req, res, next, log;
+
+ beforeEach(() => {
+ req = { path: '', url: '', headers: {}, body: {} };
+ res = {
+ status: sinon.stub().returnsThis(),
+ send: sinon.stub(),
+ redirect: sinon.stub(),
+ };
+ next = sinon.spy();
+ log = { error: sinon.spy() }; // Mock the logger
+ });
+
+ // Middleware function to test
+ const middleware = (err, req, res, next) => {
+ if (err && (err instanceof SyntaxError || err.status === 400 || 'body' in err)) {
+ log.error('Request Error', {
+ header: req.headers,
+ body: req.body,
+ error: err.message,
+ });
+ return res.status(400).send({ status: 404, message: err.message }); // Bad request
+ }
+
+ // Prevent open redirect attacks by checking if the path is an external domain
+ const cleanPath = req.path.replace(/^\/+/, '');
+ if (/^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}/.test(cleanPath)) {
+ return res.status(400).send('Bad Request: Potential Open Redirect Detected');
+ }
+
+ if (req.path.endsWith('/') && req.path.length > 1) {
+ let query = req.url.substring(req.path.length).replace(/\/$/, ''); // Ensure query params don't end in '/'
+ return res.redirect(301, req.path.slice(0, -1) + query);
+ }
+
+ next();
+ };
+
+ it('should prevent open redirect attempts', function () {
+ req.path = '//google.com/';
+
+ middleware(null, req, res, next);
+
+ res.status.calledOnceWithExactly(400).should.be.true();
+ res.send.calledOnceWithExactly('Bad Request: Potential Open Redirect Detected').should.be.true();
+ });
+
+ it('should handle query parameters correctly when removing trailing slash', function () {
+ req.path = '/join/';
+ req.url = '/join/?room=4b874c64-a8bd-4a82-a91e-53acc420b4b3uch/';
+
+ middleware(null, req, res, next);
+
+ res.redirect.calledOnce.should.be.true();
+ res.redirect.calledWith(301, '/join?room=4b874c64-a8bd-4a82-a91e-53acc420b4b3uch').should.be.true();
+ });
+
+ it('should handle query parameters correctly', function () {
+ req.path = '/join/';
+ req.url = '/join/?room=123';
+
+ middleware(null, req, res, next);
+
+ res.redirect.calledOnce.should.be.true();
+ res.redirect.calledWith(301, '/join?room=123').should.be.true();
+ });
+
+ it('should handle query parameters correctly', function () {
+ req.path = '/join/';
+ req.url =
+ '/join/?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0¬ify=1&duration=00:00:30';
+
+ middleware(null, req, res, next);
+
+ res.redirect.calledOnce.should.be.true();
+ res.redirect
+ .calledWith(
+ 301,
+ '/join?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0¬ify=1&duration=00:00:30',
+ )
+ .should.be.true();
+ });
+
+ it('should handle query parameters with token', function () {
+ req.path = '/join/';
+ req.url =
+ '/join/?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0¬ify=0&token=token';
+
+ middleware(null, req, res, next);
+
+ res.redirect.calledOnce.should.be.true();
+ res.redirect
+ .calledWith(
+ 301,
+ '/join?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0¬ify=0&token=token',
+ )
+ .should.be.true();
+ });
+
+ it('should call next() if no conditions are met', function () {
+ req.path = '/valid-path';
+ req.url = '/valid-path';
+
+ middleware(null, req, res, next);
+
+ next.calledOnce.should.be.true();
+ });
+});