Merge pull request #566 from gnuboard/fix/open_redirect

KimTom89 · web-flow · commit 4a9a943419fb · 2024-06-04T12:48:39.000+09:00
fix: 로그인 시 Open Redirect 취약점 수정
diff --git a/bbs/login.py b/bbs/login.py
@@ -6,7 +6,7 @@
 
 from core.template import UserTemplates
 from lib.common import session_member_key
-from lib.dependency.dependencies import set_current_connect
+from lib.dependency.dependencies import set_current_connect, validate_login_url
 from lib.member import is_super_admin
 from lib.social import providers
 from lib.social.social import SocialProvider, oauth
@@ -36,10 +36,10 @@ async def login_form(
 async def login(
         request: Request,
         member_service: Annotated[MemberService, Depends()],
+        url: Annotated[str, Depends(validate_login_url)],
         mb_id: str = Form(...),
         mb_password: str = Form(...),
         auto_login: bool = Form(default=False),
-        url: str = Form(default="/")
 ):
     """로그인 폼화면에서 로그인"""
     member = member_service.authenticate_member(mb_id, mb_password)
diff --git a/lib/dependency/dependencies.py b/lib/dependency/dependencies.py
@@ -254,4 +254,16 @@ async def set_current_connect(
 
     except ProgrammingError as e:
         print(e)
-    
+
+
+def validate_login_url(url: str = Form(default="/")):
+    """
+    로그인할 때 url을 검사하는 함수
+    """
+    allow_urls = []
+
+    if (url
+            and not url.startswith("/")
+            and url not in allow_urls):
+        raise AlertException("올바르지 않은 URL입니다.", 400)
+    return url
