Prevent XSS via Unsafe Redirect in OAuth Flow

[Aryan1296]

Fix: #15 Prevent XSS via Unsafe Redirect in OAuth Flow
This pull request addresses a critical Cross-Site Scripting (XSS) vulnerability found in the OAuth redirect handling logic within hello.all.js. The issue stems from the application's use of user-supplied URL parameters to perform a client-side redirect without proper validation.

Vulnerability Details

The script unsafely uses the oauth_redirect parameter from the URL hash and the oauth_proxy value from a JSON-parsed state parameter to redirect the user via location.assign(). An attacker can abuse this by providing a URL with the javascript: protocol, which leads to the execution of arbitrary code in the context of the user's session.

Proof of Concept (PoC) Payloads:

Using the state parameter:

?state={"oauth_proxy":"javascript:alert(document.domain)//"}&code=0
Using the oauth_redirect parameter:

#oauth_redirect=javascript:alert(1)
Vulnerable Code Snippets:

JavaScript

// Vulnerable to hash-based payload
else if ('oauth_redirect' in p) {
var url = decodeURIComponent(p.oauth_redirect);
location.assign(url); // Unsafe assignment
return;
}

// Vulnerable to state parameter payload
if (p && p.state && (p.code || p.oauth_token)) {
var state = JSON.parse(p.state);
// ...
var path = _this.qs(state.oauth_proxy, p);
location.assign(path); // Unsafe assignment
return;
}

The Fix

This PR introduces a URL validation mechanism to sanitize all redirect targets before they are passed to location.assign().

The fix implements the following checks:

Protocol Validation: It ensures that any provided URL begins with either https://, http://, or is a relative path starting with /.

Invalid Protocol Rejection: It explicitly blocks malicious protocols like javascript:, data:, and others.

Safe Fallback: If a URL is found to be invalid or unsafe, the redirect is aborted, preventing the XSS payload from executing.