[v15] Validate redirect URL origin during app authentication (#47809)

gravitational · Oct 24, 2024 · 31cb003 · 31cb003
1 parent 5778c5a
commit 31cb003
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/lib/web/app/redirect.go b/lib/web/app/redirect.go
@@ -72,8 +72,9 @@ const appRedirectHTML = `
     <title>Teleport Redirection Service</title>
     <script nonce="{{.}}">
       (function() {
-        var url = new URL(window.location);
-        var params = new URLSearchParams(url.search);
+        var currentUrl = new URL(window.location);
+        var currentOrigin = currentUrl.origin;
+        var params = new URLSearchParams(currentUrl.search);
         var searchParts = window.location.search.split('=');
         var stateValue = params.get("state");
         var subjectValue = params.get("subject");
@@ -101,16 +102,20 @@ const appRedirectHTML = `
         }).then(response => {
           if (response.ok) {
             try {
-              // if a path parameter was passed through the redirect, append that path to the target url
+              // if a path parameter was passed through the redirect, append that path to the current origin
               if (path) {
-                var redirectUrl = new URL(path, url.origin)
-                window.location.replace(redirectUrl.toString());
+                var redirectUrl = new URL(path, currentOrigin)
+                if (redirectUrl.origin === currentOrigin) {
+                  window.location.replace(redirectUrl.toString())
+                } else {
+                  window.location.replace(currentOrigin)
+                }
               } else {
-                window.location.replace(url.origin);
+                window.location.replace(currentOrigin);
               }
             } catch (error) {
                 // in case of malformed url, return to origin
-                window.location.replace(url.origin)
+                window.location.replace(currentOrigin)
             }
           }
         });