fix: make sure the return path is relative in the challenge endpoint

GPP-Woo · Oct 21, 2024 · 1be7900 · 1be7900
1 parent f8c601b
commit 1be7900
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/ODPC.Server/Authentication/AuthenticationExtensions.cs b/ODPC.Server/Authentication/AuthenticationExtensions.cs
@@ -140,22 +140,25 @@ private static Task HandleLoggedOut<TOptions>(RedirectContext<TOptions> ctx) whe
         private static Task ChallengeAsync(HttpContext httpContext)
         {
             var request = httpContext.Request;
-            var returnUrl = (request.Query["returnUrl"].FirstOrDefault() ?? string.Empty)
-                .AsSpan()
-                .TrimStart('/');
-
-            var fullReturnUrl = $"{request.Scheme}://{request.Host}{request.PathBase}/{returnUrl}";
+            var returnPath = GetSafeReturnPath(request);
 
             if (httpContext.User.Identity?.IsAuthenticated ?? false)
             {
-                httpContext.Response.Redirect(fullReturnUrl);
+                httpContext.Response.Redirect(returnPath);
                 return Task.CompletedTask;
             }
 
             return httpContext.ChallengeAsync(new AuthenticationProperties
             {
-                RedirectUri = fullReturnUrl,
+                RedirectUri = returnPath,
             });
         }
+
+        private static string GetSafeReturnPath(HttpRequest request)
+        {
+            var returnUrl = request.Query["returnUrl"].FirstOrDefault();
+            if (string.IsNullOrWhiteSpace(returnUrl) || new Uri(returnUrl, UriKind.RelativeOrAbsolute).IsAbsoluteUri) return "/";
+            return $"/{returnUrl.AsSpan().TrimStart('/')}";
+        }
     }
 }