mistercrunch commented on PR #35021: URL: https://github.com/apache/superset/pull/35021#issuecomment-3739939368
Codex says: ``` Double-encoded schemes bypass the new “dangerous scheme” guard and will execute if the user clicks “Continue.” The backend validates the already-once-decoded url query param, so javascript%253Aalert(1) (or data: etc.) is accepted because it doesn’t start with javascript: after the first decode. The React page then calls decodeURIComponent on the already-decoded param and assigns it to window.location.href, so the payload becomes javascript:alert(1) and fires (or can be “trusted” for future auto-redirects). This is an open-redirect/XSS vector. The backend should decode before validating and block non-http(s)/relative schemes, and the frontend should not double-decode or should re-validate the scheme before redirecting. Files: superset/views/redirect.py:52-67, superset-frontend/src/pages/RedirectWarning/index.tsx:156-177. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
