-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add return_to behaviour to 404 -> login flow #4916
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good - left some minor suggestions. Before the final 🦭 I'll take it for a short spin on preview app though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ukutaht I'm a bit concerned that as-is this can be used to craft malicious links.
https://pr-4916.review.plausible.io/login?return_to=https:%2F%2Fexample.com%2Fhack%2Fplausible.io
If on the return URL is a copy of the Plausible login page, the user may naively enter their details again, inadvertently sharing their details with a hacker.
@apata good point. The |
Co-authored-by: Adrian Gruntkowski <[email protected]>
Thanks, that's a good point! I've taken a stab at it here. A few points about this commit:
|
Ad 5. this was originally a workaround for issue with internal redirects failing when there's a url encoded UTF8 character in the path (the domain of the site, in particular): #3560 - phoenix was validating the "to" URLs a bit overzealously. The phoenix version we currently are on (1.7.14) has this behavior changed via phoenixframework/phoenix@4ca6ca2. This should no longer be an issue and we should be able to get back to using internal "to" redirects. |
I'm happy with that, @ukutaht! But because this feature allows redirecting to a page that has itself url search params (https://pr-4916.review.plausible.io/login?return_to=/sites%3Ffoo%3Dbar), any other open redirect vulnerability that we might have would still be exploitable. Before we release it, we should double check that we don't have any. Edit: From my side, I couldn't find any other redirects that take user input. |
Sorry for the wait, @ukutaht! I think I was actually expecting to see a fix on the failing CI checks, but then I forgot about the whole thing for the holidays. |
Changes
It's quite annoying at the moment to:
This PR implements a
return_to
query param used in login flow, including when 2fa challenge is presented. This way the user lands on the intended page.We currently have a session-based
login_dest
variable but it only works for known routes which dashboards are not. It could have been extended for this use-case but I felt like using query params is better when session state isn't strictly necessary.