Merge pull request #967 from simple-login/fix/open-redirect

Fix open redirect
This commit is contained in:
Adrià Casajús 2022-05-11 14:57:39 +02:00 committed by GitHub
commit a8c01a1443
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 4 deletions

View file

@ -80,10 +80,11 @@ class NextUrlSanitizer:
def sanitize(url: Optional[str], allowed_domains: List[str]) -> Optional[str]: def sanitize(url: Optional[str], allowed_domains: List[str]) -> Optional[str]:
if not url: if not url:
return None return None
result = urllib.parse.urlparse(url) replaced = url.replace("\\", "/")
result = urllib.parse.urlparse(replaced)
if result.hostname: if result.hostname:
if result.hostname in allowed_domains: if result.hostname in allowed_domains:
return url return replaced
else: else:
return None return None
if result.path and result.path[0] == "/": if result.path and result.path[0] == "/":

View file

@ -1,4 +1,4 @@
from typing import List from typing import List, Optional
from urllib.parse import parse_qs from urllib.parse import parse_qs
import pytest import pytest
@ -34,11 +34,12 @@ def generate_sanitize_url_cases() -> List:
cases.append([f"https://{domain}/sub", f"https://{domain}/sub"]) cases.append([f"https://{domain}/sub", f"https://{domain}/sub"])
cases.append([domain, None]) cases.append([domain, None])
cases.append([f"//{domain}", f"//{domain}"]) cases.append([f"//{domain}", f"//{domain}"])
cases.append([f"https://google.com\\@{domain}/haha", None])
return cases return cases
@pytest.mark.parametrize("url,expected", generate_sanitize_url_cases()) @pytest.mark.parametrize("url,expected", generate_sanitize_url_cases())
def test_sanitize_url(url, expected): def test_sanitize_url(url: str, expected: Optional[str]):
sanitized = sanitize_next_url(url) sanitized = sanitize_next_url(url)
assert expected == sanitized assert expected == sanitized