[PM-3561] Clean the return url of any whitespace (#3696)

* clean the return url of any whitespace

* ReplaceWhiteSpace helper

* tests for ReplaceWhiteSpace helper

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>

bitwarden_license/src/Sso/Controllers/AccountController.cs

@@ -209,6 +209,8 @@ public IActionResult ExternalChallenge(string scheme, string returnUrl, string s
             returnUrl = "~/";
         }
 
+        // Clean the returnUrl
+        returnUrl = CoreHelpers.ReplaceWhiteSpace(returnUrl, string.Empty);
         if (!Url.IsLocalUrl(returnUrl) && !_interaction.IsValidReturnUrl(returnUrl))
         {
             throw new Exception(_i18nService.T("InvalidReturnUrl"));

src/Core/Utilities/CoreHelpers.cs

@@ -31,6 +31,7 @@ public static class CoreHelpers
     private static readonly DateTime _max = new DateTime(9999, 1, 1, 0, 0, 0, DateTimeKind.Utc);
     private static readonly Random _random = new Random();
     private static readonly string RealConnectingIp = "X-Connecting-IP";
+    private static readonly Regex _whiteSpaceRegex = new Regex(@"\s+");
 
     /// <summary>
     /// Generate sequential Guid for Sql Server.
@@ -868,4 +869,9 @@ public static string GetEmailDomain(string email)
 
         return null;
     }
+
+    public static string ReplaceWhiteSpace(string input, string newValue)
+    {
+        return _whiteSpaceRegex.Replace(input, newValue);
+    }
 }

test/Core.Test/Utilities/CoreHelpersTests.cs

@@ -438,4 +438,15 @@ public void GetEmailDomain_ReturnsNull(string wrongEmail)
     {
         Assert.Null(CoreHelpers.GetEmailDomain(wrongEmail));
     }
+
+    [Theory]
+    [InlineData("hello world")]
+    [InlineData(" hello world ")]
+    [InlineData("hello\tworld")]
+    [InlineData("hello\r\nworld")]
+    [InlineData("hello\nworld")]
+    public void ReplaceWhiteSpace_Success(string email)
+    {
+        Assert.Equal("helloworld", CoreHelpers.ReplaceWhiteSpace(email, string.Empty));
+    }
 }