(airflow) branch v3-0-test updated: [v3-0-test] Better handle safe url redirects in login form for SimpleAuthManager (#49697) (#49723)

Thu, 24 Apr 2025 11:07:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch v3-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v3-0-test by this push:
     new bda116fbc07 [v3-0-test] Better handle safe url redirects in login form 
for SimpleAuthManager (#49697) (#49723)
bda116fbc07 is described below

commit bda116fbc07d22c67a99905510e6f79dfc325b34
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 24 11:39:23 2025 -0400

    [v3-0-test] Better handle safe url redirects in login form for 
SimpleAuthManager (#49697) (#49723)
    
    (cherry picked from commit ed06d99c226c92bd7251048686b0ea44cc26b715)
    
    Co-authored-by: Amogh Desai <[email protected]>
---
 .../auth/managers/simple/ui/src/login/Login.tsx       | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git 
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
 
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
index 206cf42e2c0..34691eacf85 100644
--- 
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
+++ 
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx
@@ -32,6 +32,18 @@ export type LoginBody = {
   username: string;
 };
 
+const isSafeUrl = (targetUrl: string): boolean => {
+  try {
+    // eslint-disable-next-line no-restricted-globals
+    const base = new URL(window.location.origin);
+    const target = new URL(targetUrl, base);
+
+    return (target.protocol === "http:" || target.protocol === "https:") && 
target.origin === base.origin;
+  } catch {
+    return false;
+  }
+};
+
 const LOCAL_STORAGE_DISABLE_BANNER_KEY = "disable-sam-banner";
 
 export const Login = () => {
@@ -45,12 +57,17 @@ export const Login = () => {
     // Redirect to appropriate page with the token
     const next = searchParams.get("next");
 
+    // Fallback similar to FabAuthManager, strip off the next
+    const fallback = "/";
+
     setCookie("_token", data.access_token, {
       path: "/",
       secure: globalThis.location.protocol !== "http:",
     });
 
-    globalThis.location.replace(next ?? "");
+    const redirectTarget = isSafeUrl(next!) ? next : fallback;
+
+    globalThis.location.replace(redirectTarget!);
   };
   const { createToken, error, isPending, setError } = useCreateToken({
     onSuccess,

Reply via email to