Sanitize redirect paths in the gh installation and auth flow

Author: myftija

apps/webapp/app/routes/_app.github.callback/route.tsx

@@ -7,6 +7,7 @@ import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/m
 import { tryCatch } from "@trigger.dev/core";
 import { $replica } from "~/db.server";
 import { requireUser } from "~/services/session.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 const QuerySchema = z.discriminatedUnion("setup_action", [
   z.object({
@@ -52,7 +53,8 @@ export async function loader({ request }: LoaderFunctionArgs) {
     return redirectWithErrorMessage("/", request, "Failed to install GitHub App");
   }
 
-  const { organizationId, redirectTo } = sessionResult;
+  const { organizationId, redirectTo: unsafeRedirectTo } = sessionResult;
+  const redirectTo = sanitizeRedirectPath(unsafeRedirectTo);
 
   const user = await requireUser(request);
   const org = await $replica.organization.findFirst({

apps/webapp/app/routes/_app.github.install/route.tsx

@@ -6,10 +6,13 @@ import { createGitHubAppInstallSession } from "~/services/gitHubSession.server";
 import { requireUser } from "~/services/session.server";
 import { newOrganizationPath } from "~/utils/pathBuilder";
 import { logger } from "~/services/logger.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 const QuerySchema = z.object({
   org_slug: z.string(),
-  redirect_to: z.string(),
+  redirect_to: z.string().refine((value) => value === sanitizeRedirectPath(value), {
+    message: "Invalid redirect path",
+  }),
 });
 
 export const loader = async ({ request }: LoaderFunctionArgs) => {

apps/webapp/app/routes/auth.github.callback.tsx

@@ -5,11 +5,12 @@ import { getSession, redirectWithErrorMessage } from "~/models/message.server";
 import { authenticator } from "~/services/auth.server";
 import { commitSession } from "~/services/sessionStorage.server";
 import { redirectCookie } from "./auth.github";
+import { sanitizeRedirectPath } from "~/utils";
 
 export let loader: LoaderFunction = async ({ request }) => {
   const cookie = request.headers.get("Cookie");
   const redirectValue = await redirectCookie.parse(cookie);
-  const redirectTo = redirectValue ?? "/";
+  const redirectTo = sanitizeRedirectPath(redirectValue);
 
   const auth = await authenticator.authenticate("github", request, {
     failureRedirect: "/login", // If auth fails, the failureRedirect will be thrown as a Response

apps/webapp/app/utils.ts

@@ -7,22 +7,38 @@ const DEFAULT_REDIRECT = "/";
  * This should be used any time the redirect path is user-provided
  * (Like the query string on our login/signup pages). This avoids
  * open-redirect vulnerabilities.
- * @param {string} to The redirect destination
+ * @param {string} path The redirect destination
  * @param {string} defaultRedirect The redirect to use if the to is unsafe.
  */
-export function safeRedirect(
-  to: FormDataEntryValue | string | null | undefined,
+export function sanitizeRedirectPath(
+  path: string | undefined | null,
   defaultRedirect: string = DEFAULT_REDIRECT
-) {
-  if (!to || typeof to !== "string") {
+): string {
+  if (!path || typeof path !== "string") {
     return defaultRedirect;
   }
 
-  if (!to.startsWith("/") || to.startsWith("//")) {
+  if (!path.startsWith("/") || path.startsWith("//")) {
     return defaultRedirect;
   }
 
-  return to;
+  try {
+    // should not parse as a full URL
+    new URL(path);
+    return defaultRedirect;
+  } catch {}
+
+  try {
+    // ensure it's a valid relative path
+    const url = new URL(path, "https://example.com");
+    if (url.hostname !== "example.com") {
+      return defaultRedirect;
+    }
+  } catch {
+    return defaultRedirect;
+  }
+
+  return path;
 }
 
 /**