From b697f7bb53430238b540871ce75571cc34e4f16e Mon Sep 17 00:00:00 2001
From: Silas <69711739+SilasPeters@users.noreply.github.com>
Date: Fri, 20 Dec 2024 20:18:50 +0100
Subject: [PATCH] fix: second attempt at securing mollie redirect

---
 .../members/payments_controller.rb            | 30 ++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/app/controllers/members/payments_controller.rb b/app/controllers/members/payments_controller.rb
index f08a64028..05cdfbf03 100644
--- a/app/controllers/members/payments_controller.rb
+++ b/app/controllers/members/payments_controller.rb
@@ -47,8 +47,19 @@ def pay_activities
     )
     if payment.save
       # Check URI for safety (supresses brakeman warning)
-      url = (URI.parse(payment.payment_uri) if payment.payment_uri =~ URI::DEFAULT_PARSER.make_regexp)
-      redirect_to(url)
+      url = begin
+        URI.parse(payment.payment_uri)
+      rescue StandardError
+        nil
+      end
+
+      # Check if it's a valid URI and matches your whitelist of acceptable domains (e.g., only http(s)://example.com)
+      if url.is_a?(URI::HTTP) && ['mollie.com'].include?(url.host)
+        redirect_to(url)
+      else
+        # Fallback to a safe default redirect if the URI is invalid or not in the whitelist
+        redirect_to(root_path)
+      end
     else
       flash[:notice] = I18n.t('failed', scope: 'activerecord.errors.models.payment')
       redirect_to(member_payments_path)
@@ -107,8 +118,19 @@ def add_funds
 
     if payment.save
       # Check URI for safety (supresses brakeman warning)
-      url = (URI.parse(payment.payment_uri) if payment.payment_uri =~ URI::DEFAULT_PARSER.make_regexp)
-      redirect_to(url)
+      url = begin
+        URI.parse(payment.payment_uri)
+      rescue StandardError
+        nil
+      end
+
+      # Check if it's a valid URI and matches your whitelist of acceptable domains (e.g., only http(s)://example.com)
+      if url.is_a?(URI::HTTP) && ['mollie.com'].include?(url.host)
+        redirect_to(url)
+      else
+        # Fallback to a safe default redirect if the URI is invalid or not in the whitelist
+        redirect_to(root_path)
+      end
     else
       flash[:warning] = I18n.t('failed', scope: 'activerecord.errors.models.payment')
       redirect_to(members_home_path)