Skip to content

Comments

fix: validate returnTo parameter to prevent open redirect#46

Open
nitishagar wants to merge 1 commit intojetkvm:devfrom
nitishagar:fix-7
Open

fix: validate returnTo parameter to prevent open redirect#46
nitishagar wants to merge 1 commit intojetkvm:devfrom
nitishagar:fix-7

Conversation

@nitishagar
Copy link

@nitishagar nitishagar commented Nov 20, 2025

Add URL validation for the returnTo parameter in OIDC authentication flow to prevent open redirect vulnerabilities.

  • Add isValidReturnToUrl() helper function to validate URLs
  • Validate returnTo at input point (when storing in session)
  • Validate returnTo at output points (before redirects)
  • Reject external URLs with BadRequestError
  • Use safe fallback for invalid URLs at redirect points

Fixes #7

@nitishagar
fix: validate returnTo parameter to prevent open redirect
ab5e9dc 
Add URL validation for the returnTo parameter in OIDC authentication
flow to prevent open redirect vulnerabilities.

- Add isValidReturnToUrl() helper function to validate URLs
- Validate returnTo at input point (when storing in session)
- Validate returnTo at output points (before redirects)
- Reject external URLs with BadRequestError
- Use safe fallback for invalid URLs at redirect points

Fixes jetkvm#7
@CLAassistant
Copy link

CLAassistant commented Nov 20, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

IDisposable
IDisposable approved these changes Jan 28, 2026
View reviewed changes
Copy link
Contributor

@IDisposable IDisposable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an extremely good idea. :)

adamshiervani
adamshiervani requested changes Feb 2, 2026
View reviewed changes
src/oidc.ts
Comment on lines +185 to +209
// Validate returnTo before redirecting (defense in depth)
if (!isValidReturnToUrl(returnTo, APP_HOSTNAME)) {
console.warn("Invalid returnTo URL detected at redirect point:", returnTo);
// Fall back to safe default
const safeUrl = new URL(`${APP_HOSTNAME}/devices`);
safeUrl.searchParams.append("tempToken", tempToken);
safeUrl.searchParams.append("deviceId", deviceId);
safeUrl.searchParams.append("oidcGoogle", tokenSet.id_token.toString());
safeUrl.searchParams.append("clientId", process.env.GOOGLE_CLIENT_ID);
return res.redirect(safeUrl.toString());
}

const url = new URL(returnTo);
url.searchParams.append("tempToken", tempToken);
url.searchParams.append("deviceId", deviceId);
url.searchParams.append("oidcGoogle", tokenSet.id_token.toString());
url.searchParams.append("clientId", process.env.GOOGLE_CLIENT_ID);
return res.redirect(url.toString());
}
// Validate returnTo before redirecting (defense in depth)
if (!isValidReturnToUrl(returnTo, APP_HOSTNAME)) {
console.warn("Invalid returnTo URL detected at redirect point:", returnTo);
// Fall back to safe default
return res.redirect(`${APP_HOSTNAME}/devices`);
}
Copy link
Contributor

@adamshiervani adamshiervani Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not needed, as we are the one setting the session cookie, and we sign them with our COOKIE_SECRET.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamshiervani adamshiervani adamshiervani requested changes

@IDisposable IDisposable IDisposable approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Open redirect via returnTo

4 participants

@nitishagar @CLAassistant @IDisposable @adamshiervani