add a redirect page warning user about possible attack

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-22 15:48:05 +00:00 · 2020-04-02 11:27:57 +02:00 · 2020-04-02 11:27:57 +02:00 · e5bf39d23a
commit e5bf39d23a
parent 951c6723ee
5 changed files with 43 additions and 9 deletions
--- a/routes/index.js
+++ b/routes/index.js
@ -32,6 +32,17 @@ const handleError = (msg) => (
  }
 )

+/* Helper for redirecting to upper case URLs */
+const handleRedirect = (req, res, next) => (
+  res.render('index', {
+    title: 'Redirecting form upper case',
+    redirect: {
+      name: req.params[0].toLowerCase(),
+      path: req.originalUrl.toLowerCase(),
+    },
+  })
+)
+
 /* Open Website/Dapp in Status */
 const handleSite = (req, res) => {
  let { url } = req.params
@ -114,13 +125,14 @@ router.get(/^\/u\/(0[xX]04[0-9a-fA-F]{1,127})$/, handleError('Incorrect length o
 router.get(/^\/u\/(0[xX]04[0-9a-fA-F]{129,})$/, handleError('Incorrect length of chat key'))
 router.get(/^\/user\/(0[xX]04[0-9a-fA-F]{128})$/, handleChatKey) /* Legacy */

-router.get(/^\/u\/.*[A-Z]+.*$/, handleError('Upper case ENS names are invalid'))
+router.get(/^\/u\/(.*[A-Z]+.*)$/, handleRedirect)
 router.get(/^\/u\/(.+)$/, handleEnsName)
 router.get(/^\/user\/(.+)$/, handleEnsName) /* Legacy */

 router.get(/^\/([a-z0-9-]+)$/, handlePublicChannel)
+router.get(/^\/([a-zA-Z0-9-]+)$/, handleRedirect)
 router.get(/^\/chat\/public\/([a-z0-9-]+)$/, handlePublicChannel) /* Legacy */
-router.get(/^\/chat\/public\/([a-zA-Z0-9-]+)$/, (req, res) => res.redirect(req.originalUrl.toLowerCase()))
+router.get(/^\/chat\/public\/([a-zA-Z0-9-]+)$/, handleRedirect)
 router.get(/^\/([a-zA-Z0-9-]+)$/, (req, res) => res.redirect(req.originalUrl.toLowerCase()))

 /* Catchall for everything else */
--- a/tests/main.js
+++ b/tests/main.js
@ -18,7 +18,7 @@ const get = (path) => (

 /* helpers for querying returned HTML */
 const q = (res, query) => cheerio.load(res.text)(query)
-const html = (res, query) => cheerio.load(res.text)(query).html().trim()
+const html = (res, query) => (cheerio.load(res.text)(query).html() || "").trim()
 const meta = (res, name) => q(res, `meta[property="${name}"]`).attr('content')

 test('test browser routes', t => {
@ -41,10 +41,12 @@ test('test user ens routes', t => {
    t.eq(html(res, 'div.info'), 'Chat and transact with <span>@jakubgs.eth</span> in Status.', 'contains prompt')
  })

-  t.test('/u/jAkuBgs.eth.eth - UPPER CASE', async t => { /* we don't allow uppercase */
+  t.test('/u/jAkuBgs.eth - UPPER CASE', async t => { /* we don't allow uppercase */
    const res = await get('/u/jAkuBgs.eth')
-    t.eq(res.statusCode, 400, 'returns 400')
-    t.eq(html(res, 'code#error'), 'Upper case ENS names are invalid', 'contains error')
+    t.eq(res.statusCode, 200, 'returns 200')
+    t.eq(q(res, 'a#redirect').attr('href'), '/u/jakubgs.eth', 'lower case url')
+    t.eq(html(res, 'a#redirect'), 'Redirect Me', 'redirect button')
+    t.eq(html(res, 'div.info'), 'Beware of phishing attacks.', 'contains warning')
  })
 })

@ -91,8 +93,10 @@ test('test public channel routes', t => {

  t.test('/staTus-TesT - UPPER CASE', async t => { /* we don't allow uppercase */
    const res = await get('/staTus-TesT')
-    t.eq(res.statusCode, 302, 'returns 302')
-    t.eq(res.headers['location'], '/status-test', 'redirects to lowercase')
+    t.eq(res.statusCode, 200, 'returns 200')
+    t.eq(q(res, 'a#redirect').attr('href'), '/status-test', 'lower case url')
+    t.eq(html(res, 'a#redirect'), 'Redirect Me', 'redirect button')
+    t.eq(html(res, 'div.info'), 'Beware of phishing attacks.', 'contains warning')
  })
 })

--- a/views/index.ejs
+++ b/views/index.ejs
@ -166,6 +166,8 @@
    </header>
    <%if (locals.error) { %>
    <%- include('fail') %>
+    <% } else if (locals.redirect) { %>
+    <%- include('redirect') %>
    <% } else { %>
    <%- include('join') %>
    <% } %>
--- a/views/join.ejs
+++ b/views/join.ejs
@ -12,7 +12,7 @@
              <div class="inner" id="copy-target"><%= mainTarget %></div>
              <a href="#" data-clipboard-target="#copy-target">Copy</a>
            </div>
-            <button href="status-im:/<%= path %>" onclick="return redirectToAppOrStore();" class="btn btn-purple-fill">Open in Status</button>
+            <a href="status-im:/<%= path %>" id="open" onclick="return redirectToAppOrStore();" class="btn btn-purple-fill">Open in Status</a>
            <div class="info">
              <%- info %>
            </div>
--- a/views/redirect.ejs
+++ b/views/redirect.ejs
@ -0,0 +1,16 @@
+<section class="join-content p-b-160 p-t-160 text-center">
+  <div class="container">
+    <div class="row">
+      <div class="col-md-12">
+        <h3 id="header" class="break-word">Upper case link detected</h3>
+        <p>Would you like to be redirected?</p>
+        <div class="copy">
+          <div class="inner" id="copy-target"><%= redirect.name %></div>
+          <a href="#" data-clipboard-target="#copy-target">Copy</a>
+        </div>
+        <a href="<%= redirect.path %>" id="redirect" class="btn btn-purple-fill">Redirect Me</a>
+        <div class="info">Beware of phishing attacks.</div>
+      </div>
+    </div>
+  </div>
+</section>