liuxiran commented on a change in pull request #1284:
URL: https://github.com/apache/apisix-dashboard/pull/1284#discussion_r556279018
##########
File path: web/src/pages/Setting/Setting.tsx
##########
@@ -62,7 +62,15 @@ const Setting: React.FC = () => {
});
setTimeout(() => {
const redirect = getUrlQuery('redirect');
- window.location.href = redirect ? decodeURIComponent(redirect) : '/';
+ const currentHost = window.location.host;
+ if (redirect) {
+ const redirectUrl = decodeURIComponent(redirect);
+ const redirectHost = redirectUrl.split('/')[2];
+ if (currentHost === redirectHost) {
+ window.location.href = redirectUrl;
Review comment:
> To guard against untrusted URL redirection, it is advisable to avoid
putting user input directly into a redirect URL. Instead, maintain a list of
authorized redirects on the server; then choose from that list based on the
user input provided.
After read the recommended note from codeql, it seems that all urls derived
from user input are considered risky, so only limit the same host is not
enough( the risky is still exit).
Since the redirectUrl could not come from server(the recommended way), we
may try to use `history.push` instead of `window.location.href` to avoid this
sec risky, which can also complete the page redirect action.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
