fix only allow redirects on whitelist

2015-09-23 14:54:08 -07:00
parent d573474525
commit baab92e3a0
1 changed files with 15 additions and 7 deletions
--- a/server/middlewares/add-return-to.js
+++ b/server/middlewares/add-return-to.js
@ -12,20 +12,28 @@ const pathsOfNoReturn = [
  'css'
 ];

+const pathsWhiteList = [
+  'news',
+  'challenges',
+  'map',
+  'news'
+];
+
 const pathsOfNoReturnRegex = new RegExp(pathsOfNoReturn.join('|'), 'i');
+const whiteListRegex = new RegExp(pathsWhiteList.join('|'), 'i');

 export default function addReturnToUrl() {
  return function(req, res, next) {
    // Remember original destination before login.
    var path = req.path.split('/')[1];
+    var subPath = req.path.split('/')[2];

-    if (req.method !== 'GET') {
-      return next();
-    }
-    if (pathsOfNoReturnRegex.test(path)) {
-      return next();
-    }
-    if (/\/stories\/\w+/i.test(req.path)) {
+    if (
+      req.method !== 'GET' ||
+      pathsOfNoReturnRegex.test(path) ||
+      !whiteListRegex.test(path) ||
+      (/news/i).test(path) && (/hot/i).test(subPath)
+    ) {
      return next();
    }
    req.session.returnTo = req.path;