core: fix non-exploitable open redirect (#13696)
discovered by @dominic-r Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/core/sources/flow_manager.py
This commit is contained in:
@ -36,7 +36,7 @@ from authentik.flows.planner import (
|
||||
)
|
||||
from authentik.flows.stage import StageView
|
||||
from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
|
||||
from authentik.lib.utils.urls import redirect_with_qs
|
||||
from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
|
||||
from authentik.lib.views import bad_request_message
|
||||
from authentik.policies.denied import AccessDeniedResponse
|
||||
from authentik.policies.utils import delete_none_values
|
||||
@ -208,6 +208,8 @@ class SourceFlowManager:
|
||||
final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
|
||||
NEXT_ARG_NAME, "authentik_core:if-user"
|
||||
)
|
||||
if not is_url_absolute(final_redirect):
|
||||
final_redirect = "authentik_core:if-user"
|
||||
flow_context.update(
|
||||
{
|
||||
# Since we authenticate the user by their token, they have no backend set
|
||||
|
@ -33,6 +33,7 @@ from authentik.flows.planner import (
|
||||
)
|
||||
from authentik.flows.stage import ChallengeStageView
|
||||
from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
|
||||
from authentik.lib.utils.urls import is_url_absolute
|
||||
from authentik.lib.views import bad_request_message
|
||||
from authentik.providers.saml.utils.encoding import nice64
|
||||
from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
|
||||
@ -73,6 +74,8 @@ class InitiateView(View):
|
||||
final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
|
||||
NEXT_ARG_NAME, "authentik_core:if-user"
|
||||
)
|
||||
if not is_url_absolute(final_redirect):
|
||||
final_redirect = "authentik_core:if-user"
|
||||
kwargs.update(
|
||||
{
|
||||
PLAN_CONTEXT_SSO: True,
|
||||
|
Reference in New Issue
Block a user