From 7adefce7fd612bfbde5fb8e4ba261b1407713cc7 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Sun, 5 Jan 2025 14:37:35 +0100 Subject: [PATCH] Use safe redirect paths in admin redirects This makes sure all redirects we do in the admin via do_redirect_to uses a safe redirect url. --- .../alchemy/admin/base_controller.rb | 21 +++++++++++++++---- .../alchemy/admin/languages_controller.rb | 2 +- .../alchemy/admin/pages_controller.rb | 6 +----- .../alchemy/admin/resources_controller.rb | 2 +- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/app/controllers/alchemy/admin/base_controller.rb b/app/controllers/alchemy/admin/base_controller.rb index 8e80889095..3fdd2f5ce6 100644 --- a/app/controllers/alchemy/admin/base_controller.rb +++ b/app/controllers/alchemy/admin/base_controller.rb @@ -46,6 +46,12 @@ def is_safe_redirect_path?(path) path.to_s.match? %r{^#{mount_path}admin/} end + def relative_referer_path(referer = request.referer) + return unless referer + + URI(referer).path + end + # Disable layout rendering for xhr requests. def set_layout (request.xhr? || turbo_frame_request?) ? false : "alchemy/admin" @@ -120,16 +126,23 @@ def render_errors_or_redirect(object, redirect_url, flash_notice) end end - # Does redirects for html and js requests + # Does redirects for html, turbo_stream and js requests + # + # Makes sure that the redirect path is safe. # def do_redirect_to(url_or_path) + redirect_path = safe_redirect_path(url_or_path) respond_to do |format| format.js do - @redirect_url = url_or_path + @redirect_url = redirect_path render :redirect end - format.turbo_stream { redirect_to(url_or_path) } - format.html { redirect_to(url_or_path) } + format.turbo_stream do + redirect_to(redirect_path, allow_other_host: false) + end + format.html do + redirect_to(redirect_path, allow_other_host: false) + end end end diff --git a/app/controllers/alchemy/admin/languages_controller.rb b/app/controllers/alchemy/admin/languages_controller.rb index 4f1af1e29f..ee487b3129 100644 --- a/app/controllers/alchemy/admin/languages_controller.rb +++ b/app/controllers/alchemy/admin/languages_controller.rb @@ -40,7 +40,7 @@ def destroy def switch @language = set_alchemy_language(params[:language_id]) session[:alchemy_language_id] = @language.id - do_redirect_to request.referer || alchemy.admin_dashboard_path + do_redirect_to relative_referer_path || alchemy.admin_dashboard_path end private diff --git a/app/controllers/alchemy/admin/pages_controller.rb b/app/controllers/alchemy/admin/pages_controller.rb index 7ea7d3623f..986878eecd 100644 --- a/app/controllers/alchemy/admin/pages_controller.rb +++ b/app/controllers/alchemy/admin/pages_controller.rb @@ -193,11 +193,7 @@ def unlock end def unlock_redirect_path - if params[:redirect_to].to_s.match?(/\A\/admin\/(layout_)?pages/) - params[:redirect_to] - else - admin_pages_path - end + safe_redirect_path(fallback: admin_pages_path) end # Sets the page public and updates the published_at attribute that is used as cache_key diff --git a/app/controllers/alchemy/admin/resources_controller.rb b/app/controllers/alchemy/admin/resources_controller.rb index 0fefed1a5c..ed5749dedb 100644 --- a/app/controllers/alchemy/admin/resources_controller.rb +++ b/app/controllers/alchemy/admin/resources_controller.rb @@ -78,7 +78,7 @@ def destroy flash[:error] = resource_instance_variable.errors.full_messages.join(", ") end flash_notice_for_resource_action - do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index")) + do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index", only_path: true)) end def resource_handler