ensure path param is valid path

gravitational · Jul 1, 2022 · da79a25 · da79a25
1 parent 341ad99
commit da79a25
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/lib/web/app/redirect.go b/lib/web/app/redirect.go
@@ -78,7 +78,10 @@ const js = `
         }).then(response => {
           if (response.ok) {
             try {
-                window.location.replace(url.origin + path);
+              if (path.charAt(0) !== "/") {
+                throw "malformed url"
+              }
+              window.location.replace(url.origin + path);
             } catch (error) {
                 // in case of malformed url, return to origin
                 window.location.replace(url.origin)