Add additional RelayState URL validation #388
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also, some additional debug logging. Also fixed an issue which would cause logout requests to redirect to the fallback login redirect url
tymees
commented
Oct 2, 2023
peppelinux
requested changes
Oct 2, 2023
|
I'd ask in this PR, if you agree, to bring the version up to 1.8.0 |
This will prevent redirect loops with the strict validation disabled Co-authored-by: Giuseppe De Marco <[email protected]>
|
Of course! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A PR to fix #385;
I went for a different approach than I suggested in my issue. I noticed there was a
validate_referral_urlfunction, which seemed like a more logical place to check for URL validity.In addition, when looking at that function I noticed that there was an additional (hypothetical) issue, in which a RelayState for logout would redirect to the fallback login url if the RelayState didn't pass the allowed-host check.
Thus, I decided to refactor that function to only do validation checks, and moved the logic for deciding what to do when it fails to the functions that use it.
Validating if URLs are valid is always tricky, and my choice to use Django's
resolve_urlis thus not perfect as well. It will fail on values that could be a valid redirect target (I used a plain 'home' as an example). I cannot figure out a solution that will handle that gracefully but also fix the issue I described in #385.One could say those URLs are poorly-formatted, especially as Django by default enforces URLs have trailing slashes (which will be seen as valid). However, I don't want this stricter validation to enforce some idealistic idea of URL formatting. Thus, I decided to add a settings opt-out to my new check, as described in the additional docs I provided.
I also added some extra debug logging, these are similar to the ones I added when debugging where my error was coming from. Hopefully they help other devs figuring out why their app does not do what they think it should ;)
Please feel free to completely disagree with this approach, I'd be happy to make a different PR if requested :) Any other comments are also welcome of course.
--
As an aside, the docs say I should target the dev branch for PR's. However, that branch seems outdated, and misses the very commit that caused the issue. So I hope me targeting the master branch instead is fine?