Merge pull request #75 from GeneriekPublicatiePlatformWoo/71-fix-codeql

fix: make sure the return path is relative in the challenge endpoint
GPP-Woo · Oct 21, 2024 · 421fa5e · 421fa5e
2 parents 5886da4 + a5ee766
commit 421fa5e
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/ODPC.Server/Authentication/AuthenticationExtensions.cs b/ODPC.Server/Authentication/AuthenticationExtensions.cs
@@ -140,22 +140,32 @@ private static Task HandleLoggedOut<TOptions>(RedirectContext<TOptions> ctx) whe
         private static Task ChallengeAsync(HttpContext httpContext)
         {
             var request = httpContext.Request;
-            var returnUrl = (request.Query["returnUrl"].FirstOrDefault() ?? string.Empty)
-                .AsSpan()
-                .TrimStart('/');
-
-            var fullReturnUrl = $"{request.Scheme}://{request.Host}{request.PathBase}/{returnUrl}";
+            var returnPath = GetRelativeReturnUrl(request);
 
             if (httpContext.User.Identity?.IsAuthenticated ?? false)
             {
-                httpContext.Response.Redirect(fullReturnUrl);
+                httpContext.Response.Redirect(returnPath);
                 return Task.CompletedTask;
             }
 
             return httpContext.ChallengeAsync(new AuthenticationProperties
             {
-                RedirectUri = fullReturnUrl,
+                RedirectUri = returnPath,
             });
         }
+
+        /// <summary>
+        /// We gebruiken een query parameter om te bepalen waar we naartoe moeten redirecten na inlog.
+        /// Dat is gebruikersinput. Daarom willen we valideren dat die query parameter daadwerkelijk een relatieve url is.
+        /// Zo niet, redirecten we naar de root van de applicatie.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <returns></returns>
+        private static string GetRelativeReturnUrl(HttpRequest request)
+        {
+            var returnUrl = request.Query["returnUrl"].FirstOrDefault();
+            if (string.IsNullOrWhiteSpace(returnUrl) || new Uri(returnUrl, UriKind.RelativeOrAbsolute).IsAbsoluteUri) return "/";
+            return $"/{returnUrl.AsSpan().TrimStart('/')}";
+        }
     }
 }