Merge pull request #521 from intuitem/fix/non_filtered_next_redirection

Fix non filtered next redirection

frontend/messages/de.json

@@ -460,7 +460,7 @@
 	"domainManager": "Domänen-Manager",
 	"analyst": "Analyst",
 	"successfullyCreatedObject": "Das {object} Objekt wurde erfolgreich erstellt",
-	"successfullyUpdatedObject": "Das {object} Objekt: {name} wurde erfolgreich aktualisiert",
+	"successfullyUpdatedObject": "Das {object} Objekt wurde erfolgreich aktualisiert",
 	"successfullySavedObject": "Das {object} Objekt wurde erfolgreich gespeichert",
 	"successfullyDeletedObject": "Das {object} Objekt wurde erfolgreich gelöscht",
 	"successfullyDeletedLibrary": "Die Bibliothek wurde erfolgreich gelöscht",

frontend/messages/en.json

@@ -460,7 +460,7 @@
 	"domainManager": "Domain manager",
 	"analyst": "Analyst",
 	"successfullyCreatedObject": "The {object} object has been successfully created",
-	"successfullyUpdatedObject": "The {object} object: {name} has been successfully updated",
+	"successfullyUpdatedObject": "The {object} object has been successfully updated",
 	"successfullySavedObject": "The {object} object has been successfully saved",
 	"successfullyDeletedObject": "The {object} object has been successfully deleted",
 	"successfullyDeletedLibrary": "The library has been successfully deleted",

frontend/messages/es.json

@@ -460,7 +460,7 @@
 	"domainManager": "Gerente de dominio",
 	"analyst": "Analista",
 	"successfullyCreatedObject": "El objeto {object} se ha creado con éxito",
-	"successfullyUpdatedObject": "El objeto {object}: {name} se ha actualizado con éxito",
+	"successfullyUpdatedObject": "El objeto {object} se ha actualizado con éxito",
 	"successfullySavedObject": "El objeto {object} se ha guardado con éxito",
 	"successfullyDeletedObject": "El objeto {object} se ha eliminado con éxito",
 	"successfullyDeletedLibrary": "La biblioteca se ha eliminado con éxito",

frontend/messages/fr.json

@@ -460,7 +460,7 @@
 	"domainManager": "Gestionnaire de domaine",
 	"analyst": "Analyste",
 	"successfullyCreatedObject": "L'objet {object} a été créé avec succès",
-	"successfullyUpdatedObject": "L'objet {object}: {name} a été mis à jour avec succès",
+	"successfullyUpdatedObject": "L'objet {object} a été mis à jour avec succès",
 	"successfullySavedObject": "L'objet {object} a été enregistré avec succès",
 	"successfullyDeletedObject": "L'objet {object} a été supprimé avec succès",
 	"successfullyDeletedLibrary": "La librairie a été supprimée avec succès",

frontend/messages/it.json

@@ -460,7 +460,7 @@
 	"domainManager": "Manager di dominio",
 	"analyst": "Analista",
 	"successfullyCreatedObject": "L'oggetto {object} è stato creato con successo",
-	"successfullyUpdatedObject": "L'oggetto {object}: {name} è stato aggiornato con successo",
+	"successfullyUpdatedObject": "L'oggetto {object} è stato aggiornato con successo",
 	"successfullySavedObject": "L'oggetto {object} è stato salvato con successo",
 	"successfullyDeletedObject": "L'oggetto {object} è stato eliminato con successo",
 	"successfullyDeletedLibrary": "La biblioteca è stata eliminata con successo",

frontend/messages/nl.json

@@ -460,7 +460,7 @@
 	"domainManager": "Domeinbeheerder",
 	"analyst": "Analist",
 	"successfullyCreatedObject": "Het {object} object is succesvol aangemaakt",
-	"successfullyUpdatedObject": "Het {object} object: {name} is succesvol bijgewerkt",
+	"successfullyUpdatedObject": "Het {object} object is succesvol bijgewerkt",
 	"successfullySavedObject": "Het {object} object is succesvol opgeslagen",
 	"successfullyDeletedObject": "Het {object} object is succesvol verwijderd",
 	"successfullyDeletedLibrary": "De bibliotheek is succesvol verwijderd",

frontend/messages/pt.json

@@ -460,7 +460,7 @@
 	"domainManager": "Gerente de domínio",
 	"analyst": "Analista",
 	"successfullyCreatedObject": "O objeto {object} foi criado com sucesso",
-	"successfullyUpdatedObject": "O objeto {object}: {name} foi atualizado com sucesso",
+	"successfullyUpdatedObject": "O objeto {object} foi atualizado com sucesso",
 	"successfullySavedObject": "O objeto {object} foi salvo com sucesso",
 	"successfullyDeletedObject": "O objeto {object} foi excluído com sucesso",
 	"successfullyDeletedLibrary": "A biblioteca foi excluída com sucesso",

frontend/src/lib/components/Forms/ModelForm.svelte

@@ -20,6 +20,7 @@
 	import { page } from '$app/stores';
 	import * as m from '$paraglide/messages.js';
 	import { zod } from 'sveltekit-superforms/adapters';
+	import { getSecureRedirect } from '$lib/utils/helpers';
 
 	export let form: SuperValidated<AnyZodObject>;
 	export let model: ModelInfo;
@@ -36,7 +37,7 @@
 		if (browser) {
 			var currentUrl = window.location.href;
 			var url = new URL(currentUrl);
-			var nextValue = url.searchParams.get('next');
+			var nextValue = getSecureRedirect(url.searchParams.get('next'));
 			if (nextValue) window.location.href = nextValue;
 		}
 	}

frontend/src/lib/utils/helpers.ts

@@ -56,3 +56,8 @@ export function formatScoreValue(value: number, max_score: number) {
 	}
 	return (value * 100) / max_score;
 }
+
+export function getSecureRedirect(url: any): string {
+	const SECURE_REDIRECT_URL_REGEX = /^\/(?!.*\/\/)[^\s]*$/;
+	return typeof url === 'string' && SECURE_REDIRECT_URL_REGEX.test(url) ? url : '';
+}

frontend/src/routes/(app)/[model=urlmodel]/[id=uuid]/edit/+layout.server.ts

@@ -1,5 +1,6 @@
 import { superValidate } from 'sveltekit-superforms';
 import type { LayoutServerLoad } from './$types';
+import { getSecureRedirect } from '$lib/utils/helpers';
 import { redirect } from '@sveltejs/kit';
 import { setFlash } from 'sveltekit-flash-message/server';
 import { BASE_API_URL } from '$lib/utils/constants';
@@ -35,7 +36,8 @@ export const load: LayoutServerLoad = async (event) => {
 			);
 			throw redirect(
 				302,
-				event.url.searchParams.get('next') || `/${model.urlModel}/${riskAcceptance.id}`
+				getSecureRedirect(event.url.searchParams.get('next')) ||
+					`/${model.urlModel}/${riskAcceptance.id}`
 			);
 		}
 	}

frontend/src/routes/(app)/[model=urlmodel]/[id=uuid]/edit/+page.server.ts

@@ -4,6 +4,7 @@ import { fail, type Actions } from '@sveltejs/kit';
 import { setError, superValidate } from 'sveltekit-superforms';
 import { setFlash } from 'sveltekit-flash-message/server';
 import { urlParamModelVerboseName } from '$lib/utils/crud';
+import { getSecureRedirect } from '$lib/utils/helpers';
 import { redirect } from '@sveltejs/kit';
 
 import { localItems, toCamelCase } from '$lib/utils/locales';
@@ -100,7 +101,8 @@ export const actions: Actions = {
 		);
 		redirect(
 			302,
-			event.url.searchParams.get('next') ?? `/${event.params.model}/${event.params.id}`
+			getSecureRedirect(event.url.searchParams.get('next')) ??
+				`/${event.params.model}/${event.params.id}`
 		);
 	}
 };

frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.server.ts

@@ -8,6 +8,7 @@ import * as m from '$paraglide/messages';
 import { languageTag } from '$paraglide/runtime';
 import { tableSourceMapper, type TableSource } from '@skeletonlabs/skeleton';
 import type { Actions } from '@sveltejs/kit';
+import { getSecureRedirect } from '$lib/utils/helpers';
 import { fail, redirect } from '@sveltejs/kit';
 import { setFlash } from 'sveltekit-flash-message/server';
 import { setError, superValidate } from 'sveltekit-superforms';
@@ -259,7 +260,7 @@ export const actions: Actions = {
 		setFlash({ type: 'success', message: m.successfullySavedObject({ object: model }) }, event);
 		redirect(
 			302,
-			event.url.searchParams.get('next') ||
+			getSecureRedirect(event.url.searchParams.get('next')) ||
 				`/compliance-assessments/${object.compliance_assessment}/`
 		);
 	},

frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte

@@ -20,6 +20,7 @@
 	import CreateModal from '$lib/components/Modals/CreateModal.svelte';
 	import ModelTable from '$lib/components/ModelTable/ModelTable.svelte';
 	import { getOptions } from '$lib/utils/crud';
+	import { getSecureRedirect } from '$lib/utils/helpers';
 	import { breadcrumbObject } from '$lib/utils/stores';
 	import {
 		getModalStore,
@@ -43,7 +44,7 @@
 	function cancel(): void {
 		var currentUrl = window.location.href;
 		var url = new URL(currentUrl);
-		var nextValue = url.searchParams.get('next');
+		var nextValue = getSecureRedirect(url.searchParams.get('next'));
 		if (nextValue) window.location.href = nextValue;
 	}
 

frontend/src/routes/(app)/risk-scenarios/[id=uuid]/edit/+page.svelte

@@ -8,6 +8,7 @@
 	import ModelTable from '$lib/components/ModelTable/ModelTable.svelte';
 	import { getOptions } from '$lib/utils/crud';
 	import { modelSchema } from '$lib/utils/schemas';
+	import { getSecureRedirect } from '$lib/utils/helpers';
 	import {
 		getModalStore,
 		getToastStore,
@@ -52,7 +53,7 @@
 		if (browser) {
 			var currentUrl = window.location.href;
 			var url = new URL(currentUrl);
-			var nextValue = url.searchParams.get('next');
+			var nextValue = getSecureRedirect(url.searchParams.get('next'));
 			if (nextValue) window.location.href = nextValue;
 		}
 	}
@@ -113,7 +114,7 @@
 			}
 		));
 	}
-	const next = $page.url.searchParams.get('next');
+	const next = getSecureRedirect($page.url.searchParams.get('next'));
 
 	function riskColorMap() {
 		let color_map = {};

frontend/src/routes/(app)/users/[id=uuid]/edit/+page.server.ts

@@ -2,6 +2,7 @@ import { BASE_API_URL } from '$lib/utils/constants';
 import { UserEditSchema } from '$lib/utils/schemas';
 import { setError, superValidate } from 'sveltekit-superforms';
 import type { PageServerLoad } from './$types';
+import { getSecureRedirect } from '$lib/utils/helpers';
 import { redirect, fail, type Actions } from '@sveltejs/kit';
 import { getModelInfo } from '$lib/utils/crud';
 import { setFlash } from 'sveltekit-flash-message/server';
@@ -73,6 +74,9 @@ export const actions: Actions = {
 			{ type: 'success', message: m.successfullyUpdatedUser({ email: form.data.email }) },
 			event
 		);
-		redirect(302, event.url.searchParams.get('next') ?? `/users/${event.params.id}`);
+		redirect(
+			302,
+			getSecureRedirect(event.url.searchParams.get('next')) ?? `/users/${event.params.id}`
+		);
 	}
 };

frontend/src/routes/(authentication)/login/+page.server.ts

@@ -1,3 +1,5 @@
+import { getSecureRedirect } from '$lib/utils/helpers';
+
 import { fail, redirect, type Actions } from '@sveltejs/kit';
 import { zod } from 'sveltekit-superforms/adapters';
 import type { PageServerLoad } from './$types';
@@ -6,7 +8,6 @@ import { BASE_API_URL } from '$lib/utils/constants';
 import { csrfToken } from '$lib/utils/csrf';
 import { loginSchema } from '$lib/utils/schemas';
 import { setError, superValidate } from 'sveltekit-superforms';
-
 export const load: PageServerLoad = async ({ request, locals }) => {
 	// redirect user if already logged in
 	if (locals.user) {
@@ -63,6 +64,6 @@ export const actions: Actions = {
 			secure: true
 		});
 
-		redirect(302, url.searchParams.get('next') || '/analytics');
+		redirect(302, getSecureRedirect(url.searchParams.get('next')) || '/analytics');
 	}
 };

frontend/tests/utils/page-detail.ts

@@ -31,10 +31,7 @@ export class PageDetail extends BasePage {
 		await this.form.fill(editedValues);
 		await this.form.saveButton.click();
 
-		await this.isToastVisible(
-			'The .+' + { ...buildParams, ...editedValues }.email ??
-				'' + 'object has been successfully updated'
-		);
+		await this.isToastVisible('The .+ has been successfully updated');
 		return editedValues;
 	}