Fix for SECURITY-2979 / CVE-2023-50771

Sanitize redirect url to make sure it cannot point wherever the from query parameter shows.
eHealthExperts · Jan 30, 2024 · 11f77a7 · 11f77a7
1 parent 742fe57
commit 11f77a7
Showing 1 changed file with 24 additions and 13 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -730,6 +730,29 @@ protected AuthorizationCodeFlow buildAuthorizationCodeFlow() {
         return builder.build();
     }
 
+    private String getValidRedirectUrl(String url) {
+        if (url != null && !url.isEmpty()) {
+            // Check if the URL is relative and starts with a slash
+            if (url.startsWith("/")) {
+                return getRootUrl() + url; // Convert to absolute URL
+            }
+            // If not relative, then check if it's a valid absolute URL
+            try {
+                URL parsedUrl = new URL(url);
+                String host = parsedUrl.getHost();
+                String expectedHost = new URL(getRootUrl()).getHost();
+                // Check if the host matches the Jenkins domain
+                if (host.equals(expectedHost)) {
+                    return url; // The URL is absolute and valid
+                }
+            } catch (MalformedURLException e) {
+                // Invalid absolute URL, will return root URL
+            }
+        }
+        // If the URL is null, empty, or invalid, return the root URL
+        return getRootUrl();
+    }
+
     /**
      * Handles the the securityRealm/commenceLogin resource and sends the user off to the IdP
      * @param from the relative URL to the page that the user has just come from
@@ -741,7 +764,7 @@ public HttpResponse doCommenceLogin(@QueryParameter String from, @Header("Refere
         // reload config if needed
         loadWellKnownOpenIDConfigurationUrl();
 
-        final String redirectOnFinish = determineRedirectTarget(from, referer);
+        final String redirectOnFinish = getValidRedirectUrl(from != null ? from : referer);
 
         final AuthorizationCodeFlow flow = this.buildAuthorizationCodeFlow();
 
@@ -1034,18 +1057,6 @@ private String getRootUrl() {
         }
     }
 
-    private String determineRedirectTarget(@QueryParameter String from, @Header("Referer") String referer) {
-        String target;
-        if (from != null) {
-            target = from;
-        } else if (referer != null) {
-            target = referer;
-        } else {
-            target = getRootUrl();
-        }
-        return target;
-    }
-
     private String buildOAuthRedirectUrl() throws NullPointerException {
         String rootUrl = getRootUrl();
         if (rootUrl == null) {