fix: sanitize URLs used for OAuth auth flow (via #5190)

* fix: sanitize URLs used for OAuth auth flow

* embetter test case

* fix linter issue

Author: shockey

src/core/oauth2-authorize.js

@@ -1,5 +1,5 @@
 import win from "core/window"
-import { btoa } from "core/utils"
+import { btoa, sanitizeUrl } from "core/utils"
 
 export default function authorize ( { auth, authActions, errActions, configs, authConfigs={} } ) {
   let { schema, scopes, name, clientId } = auth
@@ -74,8 +74,9 @@ export default function authorize ( { auth, authActions, errActions, configs, au
     }
   }
 
-  let authorizationUrl = schema.get("authorizationUrl")
-  let url = [authorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&")
+  const authorizationUrl = schema.get("authorizationUrl")
+  const sanitizedAuthorizationUrl = sanitizeUrl(authorizationUrl)
+  let url = [sanitizedAuthorizationUrl, query.join("&")].join(authorizationUrl.indexOf("?") === -1 ? "?" : "&")
 
   // pass action authorizeOauth2 and authentication data through window
   // to authorize with oauth2

test/e2e-cypress/static/documents/xss/oauth2.yaml

@@ -0,0 +1,5 @@
+swagger: '2.0'
+securityDefinitions:
+  a:
+    type: oauth2
+    authorizationUrl: javascript:alert(document.domain)//

test/e2e-cypress/tests/features/xss/oauth2.js

@@ -0,0 +1,23 @@
+describe("XSS: OAuth2 authorizationUrl sanitization", () => {
+  it("should filter out a javascript URL", () => {
+    cy.visit("/?url=/documents/xss/oauth2.yaml")
+      .window()
+      .then(win => {
+        let args = null
+        const stub = cy.stub(win, "open", (...callArgs) => {
+          args = callArgs
+        }).as("windowOpen")
+
+        cy.get(".authorize")
+          .click()
+          .get(".modal-btn.authorize")
+          .click()
+          .wait(100)
+          .then(() => {
+            console.log(args)
+            expect(args[0]).to.match(/^about:blank/) 
+          })
+
+      })
+  })
+})