From 10a3a05e707ccfa6d1ff798ad8ca177fb28c0d42 Mon Sep 17 00:00:00 2001
From: fourdim <59462000+fourdim@users.noreply.github.com>
Date: Wed, 13 Sep 2023 22:38:48 -0400
Subject: [PATCH] fix: incomplete URL substring sanitization (#4309)

Co-authored-by: Peng Xiao <pengxiao@outlook.com>
---
 apps/server/src/modules/auth/next-auth.controller.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/server/src/modules/auth/next-auth.controller.ts b/apps/server/src/modules/auth/next-auth.controller.ts
index 1e562e7088..2e6c0cd992 100644
--- a/apps/server/src/modules/auth/next-auth.controller.ts
+++ b/apps/server/src/modules/auth/next-auth.controller.ts
@@ -179,7 +179,7 @@ export class NextAuthController {
       });
       if (
         !req.headers?.referer ||
-        req.headers.referer.startsWith('https://accounts.google.com')
+        checkUrlOrigin(req.headers.referer, 'https://accounts.google.com')
       ) {
         res.redirect('https://community.affine.pro/c/insider-general/');
       } else {
@@ -307,3 +307,11 @@ export class NextAuthController {
     throw new BadRequestException(`User not found`);
   }
 }
+
+const checkUrlOrigin = (url: string, origin: string) => {
+  try {
+    return new URL(url).origin === origin;
+  } catch (e) {
+    return false;
+  }
+};