Added additional check when redirecting with return_to (#3631)

* Added additional check when redirecting with return_to * Fixed test

Added additional check when redirecting with return_to (#3631)
20fe1ee7 · Ahmad Farhat · GitHub · 2a7a086d · 20fe1ee7 · 20fe1ee7
Unverified Commit 20fe1ee7 authored Jul 11, 2022 by Ahmad Farhat Committed by GitHub Jul 11, 2022
--- a/app/controllers/concerns/authenticator.rb
+++ b/app/controllers/concerns/authenticator.rb
@@ -50,7 +50,9 @@ module Authenticator
        dont_redirect_to.push(File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback"))
      end

-      url = if cookies[:return_to] && !dont_redirect_to.include?(cookies[:return_to])
+      valid_url = cookies[:return_to] && URI.parse(cookies[:return_to]).host == URI.parse(request.original_url).host
+
+      url = if cookies[:return_to] && valid_url && !dont_redirect_to.include?(cookies[:return_to])
        cookies[:return_to]
      elsif user.role.get_permission("can_create_rooms")
        user.main_room

--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -171,7 +171,7 @@ describe SessionsController, type: :controller do
      user = create(:user, provider: "greenlight",
        password: "Example1!", password_confirmation: 'example')

-      url = Faker::Internet.domain_name
+      url = "http://test.host/test"

      @request.cookies[:return_to] = url