From 9061af54bfef59d173221ab89668c520fa3f6e51 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Tue, 9 Nov 2021 12:17:30 -0500 Subject: [PATCH] limit duo connector hosts to duo-owned domains (#1283) --- src/connectors/duo.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/connectors/duo.ts b/src/connectors/duo.ts index 1c0fb8d4ce..f31011987b 100644 --- a/src/connectors/duo.ts +++ b/src/connectors/duo.ts @@ -12,6 +12,12 @@ document.addEventListener('DOMContentLoaded', event => { const hostParam = getQsParam('host'); const requestParam = getQsParam('request'); + + var hostUrl = new URL('https://' + hostParam); + if (!hostUrl.hostname.endsWith('.duosecurity.com') && !hostUrl.hostname.endsWith('.duofederal.com')) { + return; + } + DuoWebSDK.init({ iframe: 'duo_iframe', host: hostParam,