(airflow) branch main updated: Better handle safe url redirects in login form for SimpleAuthManager (#49697)

Thu, 24 Apr 2025 07:24:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new ed06d99c226 Better handle safe url redirects in login form for 
SimpleAuthManager (#49697)
ed06d99c226 is described below

commit ed06d99c226c92bd7251048686b0ea44cc26b715
Author: Amogh Desai <[email protected]>
AuthorDate: Thu Apr 24 19:54:16 2025 +0530

    Better handle safe url redirects in login form for SimpleAuthManager 
(#49697)
---
 .../auth/managers/simple/ui/src/login/Login.tsx       | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git 
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
 
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
index 206cf42e2c0..34691eacf85 100644
--- 
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
+++ 
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
@@ -32,6 +32,18 @@ export type LoginBody = {
   username: string;
 };
 
+const isSafeUrl = (targetUrl: string): boolean => {
+  try {
+    // eslint-disable-next-line no-restricted-globals
+    const base = new URL(window.location.origin);
+    const target = new URL(targetUrl, base);
+
+    return (target.protocol === "http:" || target.protocol === "https:") && 
target.origin === base.origin;
+  } catch {
+    return false;
+  }
+};
+
 const LOCAL_STORAGE_DISABLE_BANNER_KEY = "disable-sam-banner";
 
 export const Login = () => {
@@ -45,12 +57,17 @@ export const Login = () => {
     // Redirect to appropriate page with the token
     const next = searchParams.get("next");
 
+    // Fallback similar to FabAuthManager, strip off the next
+    const fallback = "/";
+
     setCookie("_token", data.access_token, {
       path: "/",
       secure: globalThis.location.protocol !== "http:",
     });
 
-    globalThis.location.replace(next ?? "");
+    const redirectTarget = isSafeUrl(next!) ? next : fallback;
+
+    globalThis.location.replace(redirectTarget!);
   };
   const { createToken, error, isPending, setError } = useCreateToken({
     onSuccess,

Reply via email to