Merge branch 'hotfix/security'

周少峰
Commit 37760b3cd873944e719ead0a4c817320d99e0c77 2 parents ee874509 16a2039c
Showing 2 changed files with 38 additions and 5 deletions
apps/passport/controllers/login.js
apps/passport/models/refer-service.js
--- a/apps/passport/controllers/login.js
View file @37760b3
+++ b/apps/passport/controllers/login.js
View file @37760b3
@@ -18,6 +18,7 @@ const log = global.yoho.logger;
 const config = global.yoho.config;
 const cache = global.yoho.cache;
 const loginService = require('../models/login-service');
+ const referWhiteListService = require('../models/refer-service');
 const PassportHelper = require('../models/passport-helper');
 const simpleHeaderModel = require('../../../doraemon/models/simple-header');
 const loginPage = `${config.siteUrl}/signin.html`;
@@ -29,9 +30,21 @@ function doPassportCallback(req, res, user) {
     let shoppingKey = cookie.getShoppingKey(req);
     let refer = cookie.getRefer(req, config.siteUrl);
 
-     if (/sign|login|reg|passport/.test(refer)) {
+     // 第三方登录不能正确跳转：把需要跳转的链接拿出来
+     // 形如：http://www.yohobuy.com/signin.html?refer=http://item.yohobuy.com/
+     //       product/pro_550930_682618/CLING6970071800516ZhiNengXinLvYunDongShouHuanVOC.html?from=search-s-CLING_1_8'
+     if (_.includes(refer, 'refer=')) {
+         refer = refer.split('refer=')[1];
+     }
+ 
+     if (referWhiteListService(refer)) {
+         if (/sign|login|reg|passport/.test(refer)) {
+             refer = config.siteUrl;
+         }
+     } else {
         refer = config.siteUrl;
     }
+ 
     if (user.openId) {
         user.nickname = _.trim(user.nickname);
 
@@ -168,10 +181,14 @@ const local = {
             }
 
             let refer = (function() {
-                 if (/sign|login|reg|passport/.test(_.get(req.cookies, 'refer', ''))) {
-                     return `${config.siteUrl}/home`;
-                 } else if (_.get(req.cookies, 'refer')) {
-                     return decodeURI(req.cookies.refer);
+                 let referUrl = _.get(req.cookies, 'refer', '');
+ 
+                 if (referWhiteListService(referUrl)) {
+                     if (/sign|login|reg|passport/.test(referUrl)) {
+                         return `${config.siteUrl}/home`;
+                     } else {
+                         return decodeURI(req.cookies.refer);
+                     }
                 } else {
                     return `${config.siteUrl}/home`;
                 }
--- a/apps/passport/models/refer-service.js 0 → 100644
View file @37760b3
+++ b/apps/passport/models/refer-service.js 0 → 100644
View file @37760b3
+ /**
+  * 跳转白名单，只有这个才能正确跳转
+  * Created by TaoHuang on 2016/11/29.
+  */
+ 
+ 'use strict';
+ 
+ const _ = require('lodash');
+ const url = require('url');
+ const config = global.yoho.config;
+ 
+ const allowedList = [/yohobuy\.com$/i, /yoho\.cn$/i];
+ 
+ module.exports = (refer) => {
+     return _.some(allowedList, allowed => allowed.test(url.parse(refer || config.siteUrl).hostname));
+ };