From 118e3cf1598e2ae71bb6f9829705e5cccccc907f Mon Sep 17 00:00:00 2001
From: Trey <73353716+TreyWW@users.noreply.github.com>
Date: Sat, 19 Oct 2024 21:10:07 +0100
Subject: [PATCH] Fix code scanning alert no. 21: URL redirection from remote
 source (#518)

* Fix code scanning alert no. 21: URL redirection from remote source

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 backend/core/views/auth/login.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/core/views/auth/login.py b/backend/core/views/auth/login.py
index 57d60d804..d4771fb4a 100644
--- a/backend/core/views/auth/login.py
+++ b/backend/core/views/auth/login.py
@@ -9,6 +9,7 @@
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import render, redirect
 from django.urls import resolve, reverse
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.urls.exceptions import Resolver404
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.decorators import method_decorator
@@ -88,6 +89,8 @@ def login_manual(request: HttpRequest):
 
 
 def redirect_to_login(email: str, redirect_url: str):
+    if not url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
+        redirect_url = reverse("dashboard")
     return redirect(f"{reverse('auth:login')}?email={email}&next={redirect_url}")