Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add return_to behaviour to 404 -> login flow #4916

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Conversation

ukutaht
Copy link
Contributor

@ukutaht ukutaht commented Dec 17, 2024

Changes

It's quite annoying at the moment to:

  1. Receive a link to a dashboard (maybe with filters)
  2. Get 404
  3. Go to login
  4. Enter credentials
  5. Be redirected to /sites instead of the original link

This PR implements a return_to query param used in login flow, including when 2fa challenge is presented. This way the user lands on the intended page.

We currently have a session-based login_dest variable but it only works for known routes which dashboards are not. It could have been extended for this use-case but I felt like using query params is better when session state isn't strictly necessary.

@ukutaht ukutaht requested review from aerosol, zoldar and a team December 17, 2024 14:54
@zoldar zoldar added the preview label Dec 18, 2024
Copy link

Preview environment👷🏼‍♀️🏗️
PR-4916

Copy link
Contributor

@zoldar zoldar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good - left some minor suggestions. Before the final 🦭 I'll take it for a short spin on preview app though.

lib/plausible_web/templates/error/404_error.html.heex Outdated Show resolved Hide resolved
lib/plausible_web/templates/auth/login_form.html.heex Outdated Show resolved Hide resolved
lib/plausible_web/controllers/auth_controller.ex Outdated Show resolved Hide resolved
Copy link
Contributor

@apata apata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ukutaht I'm a bit concerned that as-is this can be used to craft malicious links.
https://pr-4916.review.plausible.io/login?return_to=https:%2F%2Fexample.com%2Fhack%2Fplausible.io
If on the return URL is a copy of the Plausible login page, the user may naively enter their details again, inadvertently sharing their details with a hacker.

@zoldar
Copy link
Contributor

zoldar commented Dec 18, 2024

@apata good point. The return_to URL could be sanitized before final redirect, scraping any with non-matching host part.

@ukutaht
Copy link
Contributor Author

ukutaht commented Dec 18, 2024

I'm a bit concerned that as-is this can be used to craft malicious links.

Thanks, that's a good point! I've taken a stab at it here. A few points about this commit:

  • It changes the Phoenix.Controller.redirect function call to use to: argument over external: which only allows local redirects
  • When an external URL is provided to redirect it will crash with a 500. Should be rare but still bad UX that I wanted to avoid. So I added a small validation our side as well which will ignore return_to unless it starts with a "/"
  • Note that it's still possible to craft a malicious URL that starts with a double slash "//", and in that case we will 500 but I don't expect this to happen often if at all
  • @zoldar is there any reason we've been using external over `to? I'm not sure why we would need to redirect to an external URL here...

@apata apata self-requested a review December 19, 2024 08:29
@zoldar
Copy link
Contributor

zoldar commented Dec 19, 2024

@ukutaht

Ad 5. this was originally a workaround for issue with internal redirects failing when there's a url encoded UTF8 character in the path (the domain of the site, in particular): #3560 - phoenix was validating the "to" URLs a bit overzealously. The phoenix version we currently are on (1.7.14) has this behavior changed via phoenixframework/phoenix@4ca6ca2. This should no longer be an issue and we should be able to get back to using internal "to" redirects.

@apata
Copy link
Contributor

apata commented Dec 19, 2024

I'm happy with that, @ukutaht! But because this feature allows redirecting to a page that has itself url search params (https://pr-4916.review.plausible.io/login?return_to=/sites%3Ffoo%3Dbar), any other open redirect vulnerability that we might have would still be exploitable. Before we release it, we should double check that we don't have any.

Edit: From my side, I couldn't find any other redirects that take user input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants