From fc1d7c70592cfbc65e61c047bcc138850d91a55b Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 6 Feb 2024 13:30:37 -0500
Subject: [PATCH] [PM-3561] Clean the return url of any whitespace (#3696)

* clean the return url of any whitespace

* ReplaceWhiteSpace helper

* tests for ReplaceWhiteSpace helper

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 .../src/Sso/Controllers/AccountController.cs          |  2 ++
 src/Core/Utilities/CoreHelpers.cs                     |  6 ++++++
 test/Core.Test/Utilities/CoreHelpersTests.cs          | 11 +++++++++++
 3 files changed, 19 insertions(+)

diff --git a/bitwarden_license/src/Sso/Controllers/AccountController.cs b/bitwarden_license/src/Sso/Controllers/AccountController.cs
index 11a42e3cb..cbee7ed7d 100644
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@@ -209,6 +209,8 @@ public class AccountController : Controller
             returnUrl = "~/";
         }
 
+        // Clean the returnUrl
+        returnUrl = CoreHelpers.ReplaceWhiteSpace(returnUrl, string.Empty);
         if (!Url.IsLocalUrl(returnUrl) && !_interaction.IsValidReturnUrl(returnUrl))
         {
             throw new Exception(_i18nService.T("InvalidReturnUrl"));
diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs
index ea3082e84..b54cbc3f5 100644
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@@ -31,6 +31,7 @@ public static class CoreHelpers
     private static readonly DateTime _max = new DateTime(9999, 1, 1, 0, 0, 0, DateTimeKind.Utc);
     private static readonly Random _random = new Random();
     private static readonly string RealConnectingIp = "X-Connecting-IP";
+    private static readonly Regex _whiteSpaceRegex = new Regex(@"\s+");
 
     /// <summary>
     /// Generate sequential Guid for Sql Server.
@@ -868,4 +869,9 @@ public static class CoreHelpers
 
         return null;
     }
+
+    public static string ReplaceWhiteSpace(string input, string newValue)
+    {
+        return _whiteSpaceRegex.Replace(input, newValue);
+    }
 }
diff --git a/test/Core.Test/Utilities/CoreHelpersTests.cs b/test/Core.Test/Utilities/CoreHelpersTests.cs
index 6534feef5..af1156798 100644
--- a/test/Core.Test/Utilities/CoreHelpersTests.cs
+++ b/test/Core.Test/Utilities/CoreHelpersTests.cs
@@ -438,4 +438,15 @@ public class CoreHelpersTests
     {
         Assert.Null(CoreHelpers.GetEmailDomain(wrongEmail));
     }
+
+    [Theory]
+    [InlineData("hello world")]
+    [InlineData(" hello world ")]
+    [InlineData("hello\tworld")]
+    [InlineData("hello\r\nworld")]
+    [InlineData("hello\nworld")]
+    public void ReplaceWhiteSpace_Success(string email)
+    {
+        Assert.Equal("helloworld", CoreHelpers.ReplaceWhiteSpace(email, string.Empty));
+    }
 }