Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move from pennydreadfulmagic.com cookies to .pennydreadfulmagic.com cookies #13309

Merged
merged 2 commits into from
Nov 12, 2024
Merged

Move from pennydreadfulmagic.com cookies to .pennydreadfulmagic.com cookies #13309

merged 2 commits into from
Nov 12, 2024

Conversation

bakert
Copy link
Member

@bakert bakert commented Nov 12, 2024

This will let us know you are an admin on logs.

I'm not sure what changed here, maybe the config got messed up? But this will
put us back in the right spot.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2024
View reviewed changes
@bakert bakert mentioned this pull request Nov 12, 2024
Open
@bakert
Move from pennydreadfulmagic.com cookies to .pennydreadfulmagic.com c…
e614e34 
…ookies

This will let us know you are an admin on logs.

I'm not sure what changed here, maybe the config got messed up? But this will
put us back in the right spot.
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2024
View reviewed changes
shared_web/flask_app.py
@@ -92,8 +92,14 @@
oauth.logout()
target = request.args.get('target', 'home')
if bool(urllib.parse.urlparse(target).netloc):
return redirect(target)
return redirect(url_for(target))
response = redirect(target)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 4 months ago

To fix the problem, we need to ensure that the target parameter is validated properly before using it in a redirect. One way to do this is to maintain a list of allowed redirect targets and check that the user-provided target is in this list. If the target is not in the list, we should redirect to a default safe location.

  1. Create a list of allowed redirect targets.
  2. Check if the target parameter is in the list of allowed targets.
  3. If the target is not in the list, redirect to a default safe location.
Suggested changeset 1
shared_web/flask_app.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/shared_web/flask_app.py b/shared_web/flask_app.py
--- a/shared_web/flask_app.py
+++ b/shared_web/flask_app.py
@@ -92,7 +92,8 @@
         oauth.logout()
+        ALLOWED_REDIRECTS = ['home', 'profile', 'dashboard']  # Add all allowed targets here
         target = request.args.get('target', 'home')
-        if bool(urllib.parse.urlparse(target).netloc):
-            response = redirect(target)
-        else:
+        if target in ALLOWED_REDIRECTS:
             response = redirect(url_for(target))
+        else:
+            response = redirect(url_for('home'))
         # Clean up any session cookie set with no domain created when the site was misconfigured.
EOF
@@ -92,7 +92,8 @@
oauth.logout()
ALLOWED_REDIRECTS = ['home', 'profile', 'dashboard'] # Add all allowed targets here
target = request.args.get('target', 'home')
if bool(urllib.parse.urlparse(target).netloc):
response = redirect(target)
else:
if target in ALLOWED_REDIRECTS:
response = redirect(url_for(target))
else:
response = redirect(url_for('home'))
# Clean up any session cookie set with no domain created when the site was misconfigured.
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@mergify mergify bot merged commit 85076b6 into master Nov 12, 2024
19 checks passed
@mergify mergify bot deleted the cookie-hell branch November 12, 2024 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bakert