From 142a75b00736b692d37ca607be8142af5a1480b2 Mon Sep 17 00:00:00 2001 From: Syed Sajjad Hussain Shah <52817156+syedsajjadkazmii@users.noreply.github.com> Date: Fri, 4 Nov 2022 08:53:44 +0500 Subject: [PATCH] fix: add fix for XSS Vulnerability and Open Redirect [VAN-1133] (#259) --- openedx/core/djangoapps/user_authn/utils.py | 10 ++++++++++ .../djangoapps/user_authn/views/tests/test_logout.py | 2 ++ 2 files changed, 12 insertions(+) diff --git a/openedx/core/djangoapps/user_authn/utils.py b/openedx/core/djangoapps/user_authn/utils.py index 490223eaec..5b70d24278 100644 --- a/openedx/core/djangoapps/user_authn/utils.py +++ b/openedx/core/djangoapps/user_authn/utils.py @@ -19,6 +19,13 @@ from openedx.core.djangoapps.password_policy.hibp import PwnedPasswordsAPI from openedx.core.djangoapps.user_api.accounts import USERNAME_MAX_LENGTH +def _remove_unsafe_bytes_from_url(url): + _UNSAFE_URL_BYTES_TO_REMOVE = ["\t", "\r", "\n"] + for byte in _UNSAFE_URL_BYTES_TO_REMOVE: + url = url.replace(byte, "") + return url + + def is_safe_login_or_logout_redirect(redirect_to, request_host, dot_client_id, require_https): """ Determine if the given redirect URL/path is safe for redirection. @@ -41,6 +48,8 @@ def is_safe_login_or_logout_redirect(redirect_to, request_host, dot_client_id, r login_redirect_whitelist = set(getattr(settings, 'LOGIN_REDIRECT_WHITELIST', [])) login_redirect_whitelist.add(request_host) + redirect_to = _remove_unsafe_bytes_from_url(redirect_to) + # Allow OAuth2 clients to redirect back to their site after logout. if dot_client_id: application = Application.objects.get(client_id=dot_client_id) @@ -50,6 +59,7 @@ def is_safe_login_or_logout_redirect(redirect_to, request_host, dot_client_id, r is_safe_url = http.is_safe_url( redirect_to, allowed_hosts=login_redirect_whitelist, require_https=require_https ) + return is_safe_url diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py index 2a458cb4fc..84fa3b8d7d 100644 --- a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py +++ b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py @@ -88,6 +88,8 @@ class LogoutTests(TestCase): @ddt.data( ('https://www.amazon.org', 'edx.org'), + ('/%09/google.com/', 'edx.org'), + ('java%0D%0Ascript%0D%0A%3aalert(document.domain)', 'edx.org'), ) @ddt.unpack def test_logout_redirect_failure(self, redirect_url, host):