fix: prevent open redirect with returnTo (#1897)

auth0 · Feb 12, 2025 · 8c0ee57 · 8c0ee57
2 parents a56eafe + 98e4723
commit 8c0ee57
Show file tree

Hide file tree

Showing 6 changed files with 626 additions and 35 deletions.
diff --git a/e2e/test-app/pnpm-lock.yaml b/e2e/test-app/pnpm-lock.yaml
diff --git a/src/server/auth-client.test.ts b/src/server/auth-client.test.ts
@@ -1293,7 +1293,51 @@ ca/T0LLtgmbMmxSv/MmzIg==
         codeVerifier: expect.any(String),
         responseType: "code",
         state: authorizationUrl.searchParams.get("state"),
-        returnTo: "/dashboard"
+        returnTo: "https://example.com/dashboard"
+      });
+    });
+
+    it("should prevent open redirects originating from the returnTo parameter", async () => {
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        fetch: getMockAuthorizationServer()
+      });
+      const loginUrl = new URL("/auth/login", DEFAULT.appBaseUrl);
+      loginUrl.searchParams.set("returnTo", "https://google.com");
+      const request = new NextRequest(loginUrl, {
+        method: "GET"
+      });
+
+      const response = await authClient.handleLogin(request);
+      const authorizationUrl = new URL(response.headers.get("Location")!);
+
+      // transaction state
+      const transactionCookie = response.cookies.get(
+        `__txn_${authorizationUrl.searchParams.get("state")}`
+      );
+      expect(transactionCookie).toBeDefined();
+      expect(await decrypt(transactionCookie!.value, secret)).toEqual({
+        nonce: authorizationUrl.searchParams.get("nonce"),
+        codeVerifier: expect.any(String),
+        responseType: "code",
+        state: authorizationUrl.searchParams.get("state"),
+        returnTo: "/"
       });
     });
 

diff --git a/src/server/auth-client.ts b/src/server/auth-client.ts
@@ -15,6 +15,7 @@ import {
   SdkError
 } from "../errors";
 import { LogoutToken, SessionData, TokenSet } from "../types";
+import { toSafeRedirect } from "../utils/url-helpers";
 import { AbstractSessionStore } from "./session/abstract-session-store";
 import { TransactionState, TransactionStore } from "./transaction-store";
 import { filterClaims } from "./user";
@@ -261,8 +262,20 @@ export class AuthClient {
 
   async handleLogin(req: NextRequest): Promise<NextResponse> {
     const redirectUri = new URL(this.routes.callback, this.appBaseUrl); // must be registed with the authorization server
-    const returnTo =
-      req.nextUrl.searchParams.get("returnTo") || this.signInReturnToPath;
+    const dangerousReturnTo = req.nextUrl.searchParams.get("returnTo");
+    let returnTo = this.signInReturnToPath;
+
+    if (dangerousReturnTo) {
+      const safeBaseUrl = new URL(
+        (this.authorizationParameters.redirect_uri as string | undefined) ||
+          this.appBaseUrl
+      );
+      const sanitizedReturnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);
+
+      if (sanitizedReturnTo) {
+        returnTo = sanitizedReturnTo;
+      }
+    }
 
     const codeChallengeMethod = "S256";
     const codeVerifier = oauth.generateRandomCodeVerifier();