Merge pull request rails#55420 from byroot/allow_redirect_from_configuration_hosts

byroot · web-flow · commit fd6e86ce3845 · 2025-07-30T11:12:56.000+02:00
Allow hosts redirects from `hosts` Rails configuration
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,11 @@
+*   Allow hosts redirects from `hosts` Rails configuration
+
+    ```ruby
+    config.action_controller.allowed_redirect_hosts << "example.com"
+    ```
+
+    *Kevin Robatel*
+
 *   `rate_limit.action_controller` notification has additional payload
 
     additonal values: count, to, within, by, name, cache_key
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -16,6 +16,18 @@ class UnsafeRedirectError < StandardError; end
     included do
       mattr_accessor :raise_on_open_redirects, default: false
       mattr_accessor :action_on_path_relative_redirect, default: :log
+      class_attribute :_allowed_redirect_hosts, :allowed_redirect_hosts_permissions, instance_accessor: false, instance_predicate: false
+      singleton_class.alias_method :allowed_redirect_hosts, :_allowed_redirect_hosts
+    end
+
+    module ClassMethods # :nodoc:
+      def allowed_redirect_hosts=(hosts)
+        hosts = hosts.dup.freeze
+        self._allowed_redirect_hosts = hosts
+        self.allowed_redirect_hosts_permissions = if hosts.present?
+          ActionDispatch::HostAuthorization::Permissions.new(hosts)
+        end
+      end
     end
 
     # Redirects the browser to the target specified in `options`. This parameter can
@@ -254,12 +266,14 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
       end
 
       def _url_host_allowed?(url)
-        host = URI(url.to_s).host
+        url_to_s = url.to_s
+        host = URI(url_to_s).host
 
-        return true if host == request.host
-        return false unless host.nil?
-        return false unless url.to_s.start_with?("/")
-        !url.to_s.start_with?("//")
+        if host.nil?
+          url_to_s.start_with?("/") && !url_to_s.start_with?("//")
+        else
+          host == request.host || self.class.allowed_redirect_hosts_permissions&.allows?(host)
+        end
       rescue ArgumentError, URI::Error
         false
       end
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
@@ -16,6 +16,7 @@ class Railtie < Rails::Railtie # :nodoc:
     config.action_controller.action_on_path_relative_redirect = :log
     config.action_controller.log_query_tags_around_actions = true
     config.action_controller.wrap_parameters_by_default = false
+    config.action_controller.allowed_redirect_hosts = []
 
     config.eager_load_namespaces << AbstractController
     config.eager_load_namespaces << ActionController
diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
@@ -815,6 +815,26 @@ def test_redirect_to_absolute_url_does_not_raise
     ActionController::Base.action_on_path_relative_redirect = old_config
   end
 
+  def test_redirect_with_allowed_redirect_hosts
+    with_raise_on_open_redirects do
+      with_allowed_redirect_hosts(hosts: ["www.rubyonrails.org"]) do
+        get :redirect_to_url
+        assert_response :redirect
+        assert_redirected_to "http://www.rubyonrails.org/"
+      end
+    end
+  end
+
+  def test_not_redirect_with_allowed_redirect_hosts
+    with_raise_on_open_redirects do
+      with_allowed_redirect_hosts(hosts: ["www.ruby-lang.org"]) do
+        assert_raise ActionController::Redirecting::UnsafeRedirectError do
+          get :redirect_to_url
+        end
+      end
+    end
+  end
+
   private
     def with_raise_on_open_redirects
       old_raise_on_open_redirects = ActionController::Base.raise_on_open_redirects
@@ -823,6 +843,14 @@ def with_raise_on_open_redirects
     ensure
       ActionController::Base.raise_on_open_redirects = old_raise_on_open_redirects
     end
+
+    def with_allowed_redirect_hosts(hosts:)
+      old_allowed_redirect_hosts = ActionController::Base.allowed_redirect_hosts
+      ActionController::Base.allowed_redirect_hosts = hosts
+      yield
+    ensure
+      ActionController::Base.allowed_redirect_hosts = old_allowed_redirect_hosts
+    end
 end
 
 module ModuleTest
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
@@ -2021,6 +2021,11 @@ The default value depends on the `config.load_defaults` target version:
 
 [params_wrapper]: https://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html
 
+#### `config.action_controller.allowed_redirect_hosts`
+
+Specifies a list of allowed hosts for redirects. `redirect_to` will allow redirects to them without raising an
+`UnsafeRedirectError` error.
+
 #### `ActionController::Base.wrap_parameters`
 
 Configures the [`ParamsWrapper`](https://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html). This can be called at
