Address CodeQL security concern

Ensure that LoginRedirect can never be used to redirect to a different site. In the future we may whitelist certain domains such as lexbox.org, but for now we just strip off the hostname and make sure it has to be a relative URL.
sillsdev · Sep 25, 2024 · ca53296 · ca53296
1 parent 7e54c46
commit ca53296
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/backend/LexBoxApi/Controllers/LoginController.cs b/backend/LexBoxApi/Controllers/LoginController.cs
@@ -53,15 +53,23 @@ public async Task<ActionResult> LoginRedirect(
 
         await HttpContext.SignInAsync(User,
             new AuthenticationProperties { IsPersistent = true });
-        string destination = returnTo;
+        string destination = ValidateRedirectUrl(returnTo);
         if (returnToIfEmailExists is not null && user.Email is not null)
         {
             var dbUser = await lexBoxDbContext.Users.FindByEmailOrUsername(user.Email);
-            if (dbUser is not null) destination = returnToIfEmailExists!;
+            if (dbUser is not null) destination = ValidateRedirectUrl(returnToIfEmailExists)!;
         }
         return Redirect(destination);
     }
 
+    private string ValidateRedirectUrl(string url)
+    {
+        // Redirect URLs must be relative, to avoid phishing attacks where user is redirected to
+        // a lookalike site. So we strip off the host if there is one.
+        var uri = new Uri(url, UriKind.RelativeOrAbsolute);
+        return uri.PathAndQuery;
+    }
+
     [HttpGet("google")]
     [AllowAnonymous]
     public IActionResult GoogleLogin(string? redirectTo = null)