GHSA-rvp5-9p55-f5rp
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
상세
### Summary
The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin.
### Details
In `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`:
```ts let cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}` if (hashQuery) cleanUrl += `?${hashQuery}` window.location.replace(cleanUrl) ```
`startsWith('/')` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\/[/\\]/.test(hashPath)) return` to reject protocol-relative paths.
### Impact
- Open redirect from any NocoDB origin to an attacker-controlled domain. - No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login.
### Credit
This issue was reported by [@fg0x0](https://github.com/fg0x0).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.