Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid redirects with unprotected query params #3846

Merged
merged 5 commits into from
Nov 12, 2019
Merged

Avoid redirects with unprotected query params #3846

merged 5 commits into from
Nov 12, 2019

Conversation

javierm
Copy link
Member

@javierm javierm commented Nov 10, 2019

References

Objectives

  • Avoid potential redirects to external URLs

@javierm javierm added the security Pull requests that address a security vulnerability label Nov 10, 2019
@javierm javierm self-assigned this Nov 10, 2019
@javierm javierm added this to Reviewing in Roadmap via automation Nov 10, 2019
@javierm javierm changed the title Redirects Avoid redirects with unprotected query params Nov 10, 2019
@javierm
Remove unused query parameters in redirect
941fc76 
These actions are never called with query parameters in our application,
so there's no need to use these parameters in a redirect.

Note in the test I'm using the `get` method because the `patch` method
wouldn't send query parameters. This doesn't mean the action can be
accessed through GET requests, since controller tests don't check route
verbs.
@javierm
Extract method to redirect keeping query params
6677971
@javierm
Avoid redirects with unprotected query params
50bdfd5 
In theory it's possible to add a `host` parameter to a URL, and we could
end up redirecting to that host if we just redirect using query
parameters.

Generating the path using `url_for` with `only_path` solves the issue.

Note in the tests I'm using the `get` method because the `patch` method
wouldn't send query parameters. This doesn't mean the action can be
accessed through GET requests, since controller tests don't check route
verbs. Using feature specs doesn't seem to work because `controller` and
`host` parameters are filtered automatically in feature specs.

Also note I'm not testing every hidden/moderation controller because
they basically use the same code.
@javierm
Redirect to referer after destroying an image
9065683 
The same way we do for documents. This way we avoid a possible
unprotected redirect.
@javierm
Keep current host in links to current path
31c21dd 
This way we avoid a possible unprotected redirect.
@javierm javierm merged commit e7842ad into master Nov 12, 2019
Roadmap automation moved this from Reviewing to Release 1.1.0 Nov 12, 2019
@javierm javierm deleted the redirects branch November 12, 2019 19:12
smarques pushed a commit to venetochevogliamo/consul that referenced this pull request Apr 29, 2020
@javierm
Merge pull request consuldemocracy#3846 from consul/redirects
ecf74af 
Avoid redirects with unprotected query params
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@javierm javierm

Labels
security Pull requests that address a security vulnerability
Projects
No open projects
Roadmap
  
Release 1.1.0
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dynamically generated routes warnings
1 participant
@javierm