This is an automated email from the ASF dual-hosted git repository. kaxilnaik pushed a commit to branch v3-0-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit d2c54530b4c13d59e9833c2373456820fe9df0ea Author: Amogh Desai <[email protected]> AuthorDate: Thu Apr 24 19:54:16 2025 +0530 Better handle safe url redirects in login form for SimpleAuthManager (#49697) --- .../auth/managers/simple/ui/src/login/Login.tsx | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx index 206cf42e2c0..34691eacf85 100644 --- a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx +++ b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/src/login/Login.tsx @@ -32,6 +32,18 @@ export type LoginBody = { username: string; }; +const isSafeUrl = (targetUrl: string): boolean => { + try { + // eslint-disable-next-line no-restricted-globals + const base = new URL(window.location.origin); + const target = new URL(targetUrl, base); + + return (target.protocol === "http:" || target.protocol === "https:") && target.origin === base.origin; + } catch { + return false; + } +}; + const LOCAL_STORAGE_DISABLE_BANNER_KEY = "disable-sam-banner"; export const Login = () => { @@ -45,12 +57,17 @@ export const Login = () => { // Redirect to appropriate page with the token const next = searchParams.get("next"); + // Fallback similar to FabAuthManager, strip off the next + const fallback = "/"; + setCookie("_token", data.access_token, { path: "/", secure: globalThis.location.protocol !== "http:", }); - globalThis.location.replace(next ?? ""); + const redirectTarget = isSafeUrl(next!) ? next : fallback; + + globalThis.location.replace(redirectTarget!); }; const { createToken, error, isPending, setError } = useCreateToken({ onSuccess,
