verify redirects are safe before redirecting

2026-03-06 02:36:38 +00:00 · 2025-01-09 23:21:57 -05:00
parent a556339b76
commit 6c813186b8
18 changed files with 99 additions and 45 deletions
--- a/src/app/auth/signup/SignupForm.tsx
+++ b/src/app/auth/signup/SignupForm.tsx
@@ -30,6 +30,7 @@ import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import Image from "next/image";
+import { cleanRedirect } from "@app/lib/cleanRedirect";

 type SignupFormProps = {
    redirect?: string;
@@ -92,17 +93,17 @@ export default function SignupForm({

            if (res.data?.data?.emailVerificationRequired) {
                if (redirect) {
-                    router.push(`/auth/verify-email?redirect=${redirect}`);
+                    const safe = cleanRedirect(redirect);
+                    router.push(`/auth/verify-email?redirect=${safe}`);
                } else {
                    router.push("/auth/verify-email");
                }
                return;
            }

-            if (redirect && redirect.includes("http")) {
-                window.location.href = redirect;
-            } else if (redirect) {
-                router.push(redirect);
+            if (redirect) {
+                const safe = cleanRedirect(redirect);
+                router.push(safe);
            } else {
                router.push("/");
            }
--- a/src/app/auth/signup/page.tsx
+++ b/src/app/auth/signup/page.tsx
@@ -1,5 +1,6 @@
 import SignupForm from "@app/app/auth/signup/SignupForm";
 import { verifySession } from "@app/lib/auth/verifySession";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 import { pullEnv } from "@app/lib/pullEnv";
 import { Mail } from "lucide-react";
 import Link from "next/link";
@@ -41,6 +42,11 @@ export default async function Page(props: {
        }
    }

+    let redirectUrl: string | undefined;
+    if (searchParams.redirect) {
+        redirectUrl = cleanRedirect(searchParams.redirect);
+    }
+
    return (
        <>
            {isInvite && (
@@ -59,7 +65,7 @@ export default async function Page(props: {
            )}

            <SignupForm
-                redirect={searchParams.redirect as string}
+                redirect={redirectUrl}
                inviteToken={inviteToken}
                inviteId={inviteId}
            />
@@ -68,9 +74,9 @@ export default async function Page(props: {
                Already have an account?{" "}
                <Link
                    href={
-                        !searchParams.redirect
+                        !redirectUrl
                            ? `/auth/login`
-                            : `/auth/login?redirect=${searchParams.redirect}`
+                            : `/auth/login?redirect=${redirectUrl}`
                    }
                    className="underline"
                >