From 54819ba8cd973e77505843424bd86e836b3442ea Mon Sep 17 00:00:00 2001
From: "stonezdj(Daojun Zhang)" <stonezdj@gmail.com>
Date: Fri, 23 Feb 2024 15:40:13 +0800
Subject: [PATCH] Limit url to local site (#20013)

Signed-off-by: stonezdj <daojunz@vmware.com>
Co-authored-by: stonezdj <daojunz@vmware.com>
---
 src/core/controllers/oidc.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/core/controllers/oidc.go b/src/core/controllers/oidc.go
index 998786784..c929676c2 100644
--- a/src/core/controllers/oidc.go
+++ b/src/core/controllers/oidc.go
@@ -63,7 +63,13 @@ func (oc *OIDCController) RedirectLogin() {
 		oc.SendInternalServerError(err)
 		return
 	}
-	if err := oc.SetSession(redirectURLKey, oc.Ctx.Request.URL.Query().Get("redirect_url")); err != nil {
+	redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
+	if strings.HasPrefix(redirectURL, "//") {
+		log.Errorf("invalid redirect url: %v", redirectURL)
+		oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
+		return
+	}
+	if err := oc.SetSession(redirectURLKey, redirectURL); err != nil {
 		log.Errorf("failed to set session for key: %s, error: %v", redirectURLKey, err)
 		oc.SendInternalServerError(err)
 		return