|
| 1 | +import { describe, it, expect } from 'vitest'; |
| 2 | +import { safeRedirect, DEFAULT_REDIRECT } from '../../src/routes/auth/login/safe-redirect'; |
| 3 | + |
| 4 | +describe('safeRedirect', () => { |
| 5 | + it('accepts same-origin absolute paths', () => { |
| 6 | + expect(safeRedirect('/portal/dashboard')).toBe('/portal/dashboard'); |
| 7 | + expect(safeRedirect('/portal/settings')).toBe('/portal/settings'); |
| 8 | + expect(safeRedirect('/')).toBe('/'); |
| 9 | + expect(safeRedirect('/a?b=c#d')).toBe('/a?b=c#d'); |
| 10 | + }); |
| 11 | + |
| 12 | + it('falls back for missing values', () => { |
| 13 | + expect(safeRedirect(null)).toBe(DEFAULT_REDIRECT); |
| 14 | + expect(safeRedirect(undefined)).toBe(DEFAULT_REDIRECT); |
| 15 | + expect(safeRedirect('')).toBe(DEFAULT_REDIRECT); |
| 16 | + }); |
| 17 | + |
| 18 | + it('rejects values that do not start with a slash', () => { |
| 19 | + expect(safeRedirect('portal/dashboard')).toBe(DEFAULT_REDIRECT); |
| 20 | + expect(safeRedirect('https://evil.example')).toBe(DEFAULT_REDIRECT); |
| 21 | + expect(safeRedirect('http://evil.example/path')).toBe(DEFAULT_REDIRECT); |
| 22 | + expect(safeRedirect('javascript:alert(1)')).toBe(DEFAULT_REDIRECT); |
| 23 | + expect(safeRedirect(' /portal/dashboard')).toBe(DEFAULT_REDIRECT); |
| 24 | + }); |
| 25 | + |
| 26 | + it('rejects protocol-relative URLs', () => { |
| 27 | + expect(safeRedirect('//evil.example')).toBe(DEFAULT_REDIRECT); |
| 28 | + expect(safeRedirect('//evil.example/path')).toBe(DEFAULT_REDIRECT); |
| 29 | + }); |
| 30 | + |
| 31 | + it('rejects the backslash variant browsers normalise to protocol-relative', () => { |
| 32 | + expect(safeRedirect('/\\evil.example')).toBe(DEFAULT_REDIRECT); |
| 33 | + expect(safeRedirect('/\\/evil.example')).toBe(DEFAULT_REDIRECT); |
| 34 | + }); |
| 35 | + |
| 36 | + it('rejects control chars browsers strip before navigating (TAB/LF/CR)', () => { |
| 37 | + // Browsers drop these, so `/\t/evil.example` etc. would normalise to |
| 38 | + // `//evil.example` (off-origin) if they slipped past the slash checks. |
| 39 | + expect(safeRedirect('/\t/evil.example')).toBe(DEFAULT_REDIRECT); |
| 40 | + expect(safeRedirect('/\n/evil.example')).toBe(DEFAULT_REDIRECT); |
| 41 | + expect(safeRedirect('/\r/evil.example')).toBe(DEFAULT_REDIRECT); |
| 42 | + expect(safeRedirect('/\t\\evil.example')).toBe(DEFAULT_REDIRECT); |
| 43 | + expect(safeRedirect('\t//evil.example')).toBe(DEFAULT_REDIRECT); |
| 44 | + expect(safeRedirect('/foo\nbar')).toBe(DEFAULT_REDIRECT); |
| 45 | + }); |
| 46 | +}); |
0 commit comments