Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(components/server): ensure a sane redirect/returnTo query param #4708

Merged
merged 3 commits into from
Jul 8, 2021
Merged

fix(components/server): ensure a sane redirect/returnTo query param #4708

merged 3 commits into from
Jul 8, 2021

Conversation

leodido
Copy link
Contributor

@leodido leodido commented Jul 5, 2021
edited
Loading

Signed-off-by: Leo Di Donato [email protected]

This PR ensures the value of the redirect (or returnTo) query parameter is safe.

To do so, it strictly checks the value against the allowed URLs (rather than relying on startsWith).
Furthermore, it uses the URL interface to ensure URLs are normalized before checking them.

On a side note

My first PR! 🎈

Also, my first Typescript code in years and years (literally!) ... 😊
So please be gentle with me 🙇

@leodido leodido requested review from a team and jankeromnes and removed request for a team July 5, 2021 21:35
@leodido
Copy link
Contributor Author

leodido commented Jul 5, 2021
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-leo-safe-redirect-query-param.1

AlexTugarev
AlexTugarev requested changes Jul 6, 2021
View reviewed changes
Copy link
Member

@AlexTugarev AlexTugarev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leodido it's awesome that you're on it to fix the situation! 💯

I believe it will be more sustainable to not allow addressing any hosts at all. We should rather rewrite all returnTo=URL with returnTo=PATH with the means of appending the path to the known Gitpod host. This way there is no need to parse user values as URL.

components/server/src/user/user-controller.ts Outdated Show resolved Hide resolved
@leodido leodido requested a review from AlexTugarev July 6, 2021 11:32
@leodido
Copy link
Contributor Author

leodido commented Jul 6, 2021

@AlexTugarev thanks for your feeback! Would you please take another look at it? :)

@AlexTugarev
Copy link
Member

AlexTugarev commented Jul 6, 2021
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-leo-safe-redirect-query-param.3

AlexTugarev
AlexTugarev approved these changes Jul 6, 2021
View reviewed changes
Copy link
Member

@AlexTugarev AlexTugarev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good to me!
Let's test before merging 🙏🏻

@leodido
Copy link
Contributor Author

leodido commented Jul 7, 2021
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-leo-safe-redirect-query-param.4

@AlexTugarev
Copy link
Member

@leodido could you rebase please?

@leodido leodido force-pushed the leo/safe-redirect-query-param branch from fa0087a to b923636 Compare July 8, 2021 12:08
@leodido leodido merged commit 318e8c6 into main Jul 8, 2021
@leodido leodido deleted the leo/safe-redirect-query-param branch July 8, 2021 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexTugarev AlexTugarev AlexTugarev approved these changes

@jankeromnes jankeromnes Awaiting requested review from jankeromnes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leodido @AlexTugarev