[mirotalksfu] - fix open redirect

tests/test-OpenRedirect.js

@@ -0,0 +1,111 @@
+const sinon = require('sinon');
+
+describe('test-OpenRedirect', function () {
+    let req, res, next, log;
+
+    beforeEach(() => {
+        req = { path: '', url: '', headers: {}, body: {} };
+        res = {
+            status: sinon.stub().returnsThis(),
+            send: sinon.stub(),
+            redirect: sinon.stub(),
+        };
+        next = sinon.spy();
+        log = { error: sinon.spy() }; // Mock the logger
+    });
+
+    // Middleware function to test
+    const middleware = (err, req, res, next) => {
+        if (err && (err instanceof SyntaxError || err.status === 400 || 'body' in err)) {
+            log.error('Request Error', {
+                header: req.headers,
+                body: req.body,
+                error: err.message,
+            });
+            return res.status(400).send({ status: 404, message: err.message }); // Bad request
+        }
+
+        // Prevent open redirect attacks by checking if the path is an external domain
+        const cleanPath = req.path.replace(/^\/+/, '');
+        if (/^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}/.test(cleanPath)) {
+            return res.status(400).send('Bad Request: Potential Open Redirect Detected');
+        }
+
+        if (req.path.endsWith('/') && req.path.length > 1) {
+            let query = req.url.substring(req.path.length).replace(/\/$/, ''); // Ensure query params don't end in '/'
+            return res.redirect(301, req.path.slice(0, -1) + query);
+        }
+
+        next();
+    };
+
+    it('should prevent open redirect attempts', function () {
+        req.path = '//google.com/';
+
+        middleware(null, req, res, next);
+
+        res.status.calledOnceWithExactly(400).should.be.true();
+        res.send.calledOnceWithExactly('Bad Request: Potential Open Redirect Detected').should.be.true();
+    });
+
+    it('should handle query parameters correctly when removing trailing slash', function () {
+        req.path = '/join/';
+        req.url = '/join/?room=4b874c64-a8bd-4a82-a91e-53acc420b4b3uch/';
+
+        middleware(null, req, res, next);
+
+        res.redirect.calledOnce.should.be.true();
+        res.redirect.calledWith(301, '/join?room=4b874c64-a8bd-4a82-a91e-53acc420b4b3uch').should.be.true();
+    });
+
+    it('should handle query parameters correctly', function () {
+        req.path = '/join/';
+        req.url = '/join/?room=123';
+
+        middleware(null, req, res, next);
+
+        res.redirect.calledOnce.should.be.true();
+        res.redirect.calledWith(301, '/join?room=123').should.be.true();
+    });
+
+    it('should handle query parameters correctly', function () {
+        req.path = '/join/';
+        req.url =
+            '/join/?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0&notify=1&duration=00:00:30';
+
+        middleware(null, req, res, next);
+
+        res.redirect.calledOnce.should.be.true();
+        res.redirect
+            .calledWith(
+                301,
+                '/join?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0&notify=1&duration=00:00:30',
+            )
+            .should.be.true();
+    });
+
+    it('should handle query parameters with token', function () {
+        req.path = '/join/';
+        req.url =
+            '/join/?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0&notify=0&token=token';
+
+        middleware(null, req, res, next);
+
+        res.redirect.calledOnce.should.be.true();
+        res.redirect
+            .calledWith(
+                301,
+                '/join?room=test&roomPassword=0&name=mirotalksfu&audio=1&video=1&screen=0&hide=0&notify=0&token=token',
+            )
+            .should.be.true();
+    });
+
+    it('should call next() if no conditions are met', function () {
+        req.path = '/valid-path';
+        req.url = '/valid-path';
+
+        middleware(null, req, res, next);
+
+        next.calledOnce.should.be.true();
+    });
+});