Conversation
Moved to "core" namespace Fixed team dropdown style issues Fixed migration signals, converted core:dashboard to just dashboard Added github actions + templates
Dependency ReviewThe following issues were found:
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| def redirect_to_login(email: str, redirect_url: str): | ||
| if not url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None): | ||
| redirect_url = reverse("dashboard") | ||
| return redirect(f"{reverse('core:auth:login')}?email={email}&next={redirect_url}") |
Check warning
Code scanning / CodeQL
URL redirection from remote source Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the problem, we need to ensure that the redirect_url is validated against a whitelist of allowed URLs or ensure that it does not contain an explicit host name. This can be done by using the urlparse function to parse the URL and check that the netloc attribute is empty. Additionally, we should handle backslashes and mistyped URLs to ensure they are correctly parsed.
- Import the
urlparsefunction from theurllib.parsemodule. - Replace the current validation logic with a more robust check using
urlparse. - Ensure that the
redirect_urldoes not contain an explicit host name and is a relative path.
| @@ -18,2 +18,3 @@ | ||
| from django_ratelimit.decorators import ratelimit | ||
| from urllib.parse import urlparse | ||
|
|
||
| @@ -80,3 +81,5 @@ | ||
|
|
||
| if url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None): | ||
| redirect_url = redirect_url.replace('\\', '') | ||
| parsed_url = urlparse(redirect_url) | ||
| if not parsed_url.netloc and not parsed_url.scheme: | ||
| try: | ||
| @@ -91,3 +94,5 @@ | ||
| def redirect_to_login(email: str, redirect_url: str): | ||
| if not url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None): | ||
| redirect_url = redirect_url.replace('\\', '') | ||
| parsed_url = urlparse(redirect_url) | ||
| if parsed_url.netloc or parsed_url.scheme: | ||
| redirect_url = reverse("dashboard") |
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
Signed-off-by: Trey <73353716+TreyWW@users.noreply.github.com>
1 participant
Moved to "core" namespace
Fixed team dropdown style issues
Fixed migration signals, converted core:dashboard to just dashboard
Added github actions + templates