fix: open redirect in /logout redirect parameter

jsr-io · Feb 28, 2024 · 9f8c0b3 · 9f8c0b3
1 parent 5d670e3
commit 9f8c0b3
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/api/src/auth.rs b/api/src/auth.rs
@@ -290,10 +290,12 @@ pub async fn login_callback_handler(
 
 #[instrument(name = "GET /logout", skip(req), err, fields(redirect))]
 pub async fn logout_handler(req: Request<Body>) -> ApiResult<Response<Body>> {
-  let redirect_url = req
+  let mut redirect_url = req
     .query("redirect")
     .and_then(|url| urlencoding::decode(url).map(|url| url.into_owned()).ok())
     .unwrap_or("/".to_string());
+
+  redirect_url = sanitize_redirect_url(&redirect_url);
   Span::current().record("redirect", &redirect_url);
 
   Ok(