Skip to content

Fix redirection to 'next' url raises an unsafe error #55704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pierrejeambrun merged 3 commits into from
Sep 17, 2025
Merged

Fix redirection to 'next' url raises an unsafe error #55704

pierrejeambrun merged 3 commits into from
Sep 17, 2025

Conversation

@sjyangkevin
Copy link
Contributor

@sjyangkevin sjyangkevin commented Sep 16, 2025

Close: #55473

why

The is_safe_url method will return False when the target_url is encoded and it is the same as either base_url or request.base_url. Therefore, we will unquote it before joining with base.

#55143 (comment)
#55473

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@boring-cyborg boring-cyborg bot added the area:API Airflow's REST/HTTP API label Sep 16, 2025
pierrejeambrun
pierrejeambrun reviewed Sep 16, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should always unquote.

can you add a test where the target url is “relative” to the base url (I.e nested down the path).

I think with the current code that wouldn’t work, but it should.

For instance:
"https%3A%2F%2Frequesting_server_base_url.com%2Fprefix2%2Fsub_path”

@sjyangkevin
Copy link
Contributor Author

sjyangkevin commented Sep 16, 2025

Thanks for the feedback. Will make the change and add the test case

jason810496
jason810496 approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix.

@sjyangkevin
Copy link
Contributor Author

sjyangkevin commented Sep 17, 2025

Thanks @pierrejeambrun , @jason810496

I think we should always unquote.
can you add a test where the target url is “relative” to the base url (I.e nested down the path).
I think with the current code that wouldn’t work, but it should.
For instance: "https%3A%2F%2Frequesting_server_base_url.com%2Fprefix2%2Fsub_path”

Yes. In the case of target url is "relative" to the base url, the additional check there will fail to unquote the target url. Thanks for pointing this out.

@jason810496
Copy link
Member

jason810496 commented Sep 17, 2025

Yes. In the case of target url is "relative" to the base url, the additional check there will fail to unquote the target url. Thanks for pointing this out.

Thanks for the update! Having unquote in the loop make more sense to me.

pierrejeambrun
pierrejeambrun approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice thanks

@pierrejeambrun pierrejeambrun added this to the Airflow 3.1.0 milestone Sep 17, 2025
@pierrejeambrun pierrejeambrun merged commit 9bc58a2 into apache:main Sep 17, 2025
109 checks passed
kaxil pushed a commit that referenced this pull request Sep 18, 2025
@sjyangkevin @kaxil
Fix redirection to 'next' url raises an unsafe error (#55704)
e9d6236 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote

(cherry picked from commit 9bc58a2)
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Sep 30, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
f7c37b8 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 1, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
aa5cb23 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 2, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
f3e845d 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 3, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
f49776d 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 4, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
9db7b63 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 5, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
da54ab6 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 5, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
c4d1282 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 7, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
c38eec8 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 8, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
8736998 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 9, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
3646383 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 10, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
545ada2 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 11, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
98646e5 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 12, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
d0cdb34 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 14, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
468a60c 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 15, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
79e7fde 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 17, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
9dff970 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
abdulrahman305 bot pushed a commit to abdulrahman305/airflow that referenced this pull request Oct 19, 2025
@sjyangkevin
Fix redirection to 'next' url raises an unsafe error (apache#55704)
5942287 
* precommit fix

* add test case for base_url unset

* fix the check logic failed for relative url by always unquote
@potiuk potiuk mentioned this pull request Nov 8, 2025
Merged
@gyanprakash48
Copy link

gyanprakash48 commented Dec 18, 2025

@sjyangkevin i am still facing this error , i am on helm chart 1.18.0 and and then using image defaultAirflowTag: "3.1.5" . I set AIRFLOW__WEBSERVER__BASE_URL as well in apiserver , but still error persist. {"detail":"Invalid or unsafe next URL"}. i can see next path is url encoded . any help what i need to do ? (if i manually remove url encoding in browser then it works, that specific navigation)

jason810496
jason810496 reviewed Dec 19, 2025
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sjyangkevin i am still facing this error , i am on helm chart 1.18.0 and and then using image defaultAirflowTag: "3.1.5" . I set AIRFLOW__WEBSERVER__BASE_URL as well in apiserver , but still error persist. {"detail":"Invalid or unsafe next URL"}. i can see next path is url encoded . any help what i need to do ? (if i manually remove url encoding in browser then it works, that specific navigation)

How about using AIRFLOW__API__BASE_URL instead of AIRFLOW__WEBSERVER__BASE_URL env?
It seems we didn't handle [webserver/base_url] to [api/base_url] config properly:

https://github.com/apache/airflow/blob/main/shared/configuration/src/airflow_shared/configuration/parser.py#L130-L160

@sjyangkevin
Copy link
Contributor Author

sjyangkevin commented Dec 19, 2025

Thanks @jason810496 . I think it could be the issue. @gyanprakash48 could you try out the setting @jason810496 suggest?

@gyanprakash48
Copy link

gyanprakash48 commented Dec 19, 2025

Thanks! , yes that solved 👍

@jason810496 jason810496 mentioned this pull request Dec 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jason810496 jason810496 jason810496 approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API

Projects

None yet

Milestone

Airflow 3.1.0

Development

Successfully merging this pull request may close these issues.

Redirection to 'next' url raises an unsafe error

4 participants

@sjyangkevin @jason810496 @gyanprakash48 @pierrejeambrun