-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BAU: Update redirect #168
BAU: Update redirect #168
Conversation
response = make_response( | ||
redirect(request.referrer or request.args.get("return_url") or "/", 302) | ||
) | ||
response = make_response(redirect(request.referrer or "/", 302)) |
Check warning
Code scanning / CodeQL
URL redirection from remote source Medium
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 13 days ago
To fix the problem, we need to validate the request.referrer
before using it in the redirect
function. We can use the urlparse
function from the Python standard library to ensure that the referrer does not include an explicit host name, making it a relative path. This will prevent redirection to external sites. If the referrer is not valid, we will redirect to the home page (/
).
-
Copy modified lines R36-R43
@@ -35,4 +35,10 @@ | ||
def select_language(locale): | ||
# TODO: Perform additional validation on referrer | ||
response = make_response(redirect(request.referrer or "/", 302)) | ||
from urllib.parse import urlparse | ||
# Validate referrer to ensure it does not include an explicit host name | ||
referrer = request.referrer or "/" | ||
referrer = referrer.replace('\\', '') | ||
if not urlparse(referrer).netloc and not urlparse(referrer).scheme: | ||
response = make_response(redirect(referrer, 302)) | ||
else: | ||
response = make_response(redirect("/", 302)) | ||
LanguageSelector.set_language_cookie(locale, response) |
7ddd825
to
f257749
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
b70127d
b70127d
to
bf7c22d
Compare
bf7c22d
to
ca11c46
Compare
Change description
See https://communities-govuk.slack.com/archives/C0761EKCM6G/p1727340071395389 for context
How to test
If manual testing is needed, give suggested testing steps
Screenshots of UI changes (if applicable)