Defect type: URL redirection
Defect description: If unvalidated input is allowed to control the URL used by the redirection mechanism, it may be beneficial for attackers to launch phishing attacks
Propagation path: [source] get the content process.env; [burst point] execute the assignment operation and assign it to location.href
if (code === 401) {
if (!isRelogin.show) {
isRelogin.show = true;
MessageBox.confirm('登录状态已过期,您可以继续留在该页面,或者重新登录', '系统提示', {
confirmButtonText: '重新登录',
cancelButtonText: '取消',
type: 'warning'
}).then(() => {
isRelogin.show = false;
store.dispatch('LogOut').then(() => {
location.href = process.env.VUE_APP_CONTEXT_PATH + "index";
})
}).catch(() => {
isRelogin.show = false;
});
}
return Promise.reject('无效的会话,或者会话已过期,请重新登录。')
}
solution:
location.href = process.env.VUE_APP_CONTEXT_PATH + "index";
Change to location.reload();