fix(security): prevent URL redirection from user-provided values (#5637)

ilayda-cp · web-flow · commit 4c484e080386 · 2026-03-31T11:03:32.000+03:00
diff --git a/webapp/decorators.py b/webapp/decorators.py
@@ -38,7 +38,9 @@ def is_user_logged_in(*args, **kwargs):
                 },
             )
 
-            return flask.redirect(f"/login?next={flask.request.path}")
+            return flask.redirect(
+                flask.url_for("login.login_handler", next=flask.request.path)
+            )
 
         publisher = flask.session.get("publisher")
         user = publisher["email"]
diff --git a/webapp/handlers.py b/webapp/handlers.py
@@ -132,7 +132,7 @@
     CSP_SCRIPT_SRC.append(f"localhost:{VITE_PORT}")
 
 
-def refresh_redirect(path):
+def refresh_redirect():
     try:
         macaroon_discharge = authentication.get_refreshed_discharge(
             flask.session["macaroon_discharge"]
@@ -146,7 +146,13 @@ def refresh_redirect(path):
         return flask.abort(502, str(api_error))
 
     flask.session["macaroon_discharge"] = macaroon_discharge
-    return flask.redirect(path)
+    return flask.redirect(
+        flask.url_for(
+            flask.request.endpoint,
+            **flask.request.view_args,
+            **flask.request.args,
+        )
+    )
 
 
 def snapcraft_utility_processor():
@@ -282,7 +288,9 @@ def handle_api_error_list(error):
             "macaroon-authorization-required",
         ]:
             authentication.empty_session(flask.session)
-            return flask.redirect(f"/login?next={flask.request.path}")
+            return flask.redirect(
+                flask.url_for("login.login_handler", next=flask.request.path)
+            )
 
         status_code = 502
         codes = [
@@ -309,7 +317,7 @@ def handle_publisher_agreement_not_signed(error):
 
     @app.errorhandler(PublisherMacaroonRefreshRequired)
     def handle_publisher_macaroon_refresh_required(error):
-        return refresh_redirect(flask.request.path)
+        return refresh_redirect()
 
     # Global tasks for all requests
     # ===
diff --git a/webapp/publisher/snaps/build_views.py b/webapp/publisher/snaps/build_views.py
@@ -436,7 +436,9 @@ def get_update_gh_webhooks(snap_name):
     try:
         github.get_user()
     except Unauthorized:
-        return flask.redirect(f"/github/auth?back={flask.request.path}")
+        return flask.redirect(
+            flask.url_for("oauth.github_auth", back=flask.request.path)
+        )
 
     gh_link = lp_snap["git_repository_url"][19:]
     gh_owner, gh_repo = gh_link.split("/")

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,9 @@ def is_user_logged_in(args, *kwargs):`
`38`	`38`	`},`
`39`	`39`	`)`
`40`	`40`
`41`		`- return flask.redirect(f"/login?next={flask.request.path}")`
	`41`	`+ return flask.redirect(`
	`42`	`+ flask.url_for("login.login_handler", next=flask.request.path)`
	`43`	`+ )`
`42`	`44`
`43`	`45`	`publisher = flask.session.get("publisher")`
`44`	`46`	`user = publisher["email"]`