liuxiran commented on a change in pull request #1284: URL: https://github.com/apache/apisix-dashboard/pull/1284#discussion_r556279018
########## File path: web/src/pages/Setting/Setting.tsx ########## @@ -62,7 +62,15 @@ const Setting: React.FC = () => { }); setTimeout(() => { const redirect = getUrlQuery('redirect'); - window.location.href = redirect ? decodeURIComponent(redirect) : '/'; + const currentHost = window.location.host; + if (redirect) { + const redirectUrl = decodeURIComponent(redirect); + const redirectHost = redirectUrl.split('/')[2]; + if (currentHost === redirectHost) { + window.location.href = redirectUrl; Review comment: > To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided. After read the recommended note from codeql, it seems that all urls derived from user input are considered risky, so only limit the same host is not enough( the risky is still exist). Since the redirectUrl could not come from server(the recommended way), we may try to use `history.push` instead of `window.location.href` to avoid this sec risky, which can also complete the page redirect action. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org