[WEB-4900]: validated authentication redirection paths (#7798)

* refactor: replace validate_next_path with get_safe_redirect_url for safer URL redirection across authentication views * refactor: use get_safe_redirect_url for improved URL redirection in SignInAuthSpaceEndpoint and SignUpAuthSpaceEndpoint * fix: redirect paths --------- Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
2025-09-16 00:01:06 +05:30 · 2025-09-16 00:01:06 +05:30 · 345dfce25d
commit 345dfce25d
parent 116c8118ab
13 changed files with 477 additions and 276 deletions
--- a/apps/api/plane/authentication/views/space/gitlab.py
+++ b/apps/api/plane/authentication/views/space/gitlab.py
@ -1,6 +1,5 @@
 # Python imports
 import uuid
-from urllib.parse import urlencode

 # Django import
 from django.http import HttpResponseRedirect
@ -15,7 +14,7 @@ from plane.authentication.adapter.error import (
    AUTHENTICATION_ERROR_CODES,
    AuthenticationException,
 )
-from plane.utils.path_validator import validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url


 class GitLabOauthInitiateSpaceEndpoint(View):
@ -23,8 +22,6 @@ class GitLabOauthInitiateSpaceEndpoint(View):
        # Get host and next path
        request.session["host"] = base_host(request=request, is_space=True)
        next_path = request.GET.get("next_path")
-        if next_path:
-            request.session["next_path"] = str(next_path)

        # Check instance configuration
        instance = Instance.objects.first()
@ -34,9 +31,11 @@ class GitLabOauthInitiateSpaceEndpoint(View):
                error_message="INSTANCE_NOT_CONFIGURED",
            )
            params = exc.get_error_dict()
-            if next_path:
-                params["next_path"] = str(validate_next_path(next_path))
-            url = f"{base_host(request=request, is_space=True)}?{urlencode(params)}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)

        try:
@ -47,9 +46,11 @@ class GitLabOauthInitiateSpaceEndpoint(View):
            return HttpResponseRedirect(auth_url)
        except AuthenticationException as e:
            params = e.get_error_dict()
-            if next_path:
-                params["next_path"] = str(next_path)
-            url = f"{base_host(request=request, is_space=True)}?{urlencode(params)}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)


@ -66,9 +67,11 @@ class GitLabCallbackSpaceEndpoint(View):
                error_message="GITLAB_OAUTH_PROVIDER_ERROR",
            )
            params = exc.get_error_dict()
-            if next_path:
-                params["next_path"] = str(validate_next_path(next_path))
-            url = f"{base_host(request=request, is_space=True)}?{urlencode(params)}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)

        if not code:
@ -77,9 +80,11 @@ class GitLabCallbackSpaceEndpoint(View):
                error_message="GITLAB_OAUTH_PROVIDER_ERROR",
            )
            params = exc.get_error_dict()
-            if next_path:
-                params["next_path"] = str(validate_next_path(next_path))
-            url = f"{base_host(request=request, is_space=True)}?{urlencode(params)}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)

        try:
@ -89,11 +94,17 @@ class GitLabCallbackSpaceEndpoint(View):
            user_login(request=request, user=user, is_space=True)
            # Process workspace and project invitations
            # redirect to referer path
-            url = f"{base_host(request=request, is_space=True)}{str(next_path) if next_path else ''}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)
        except AuthenticationException as e:
            params = e.get_error_dict()
-            if next_path:
-                params["next_path"] = str(validate_next_path(next_path))
-            url = f"{base_host(request=request, is_space=True)}?{urlencode(params)}"
+            url = get_safe_redirect_url(
+                base_url=base_host(request=request, is_space=True),
+                next_path=next_path,
+                params=params
+            )
            return HttpResponseRedirect(url)