use safeRedirect for redirect

Author: iQQBot

components/server/src/auth/authenticator.ts

@@ -19,9 +19,8 @@ import { AuthFlow, AuthProvider } from "./auth-provider";
 import { HostContextProvider } from "./host-context-provider";
 import { SignInJWT } from "./jwt";
 import { NonceService } from "./nonce-service";
-import { ensureUrlHasFragment } from "./fragment-utils";
 import { getFeatureFlagEnableNonceValidation, getFeatureFlagEnableStrictAuthorizeReturnTo } from "../util/featureflags";
-import { validateLoginReturnToUrl, validateAuthorizeReturnToUrl } from "../express-util";
+import { validateLoginReturnToUrl, validateAuthorizeReturnToUrl, safeRedirect } from "../express-util";
 
 @injectable()
 export class Authenticator {
@@ -94,7 +93,7 @@ export class Authenticator {
                         pathname: req.path,
                         search: new URL(req.url, this.config.hostUrl.url).search,
                     });
-                    res.redirect(baseUrl.toString());
+                    safeRedirect(res, baseUrl.toString());
                     return;
                 }
 
@@ -190,21 +189,20 @@ export class Authenticator {
             // Validate returnTo URL against allowlist for login API
             if (!validateLoginReturnToUrl(returnToParam, this.config.hostUrl)) {
                 log.warn(`Invalid returnTo URL rejected for login: ${returnToParam}`, { "login-flow": true });
-                res.redirect(this.getSorryUrl(`Invalid return URL.`));
+                safeRedirect(res, this.getSorryUrl(`Invalid return URL.`));
                 return;
             }
         }
         // returnTo defaults to workspaces url
         const workspaceUrl = this.config.hostUrl.asDashboard().toString();
         returnToParam = returnToParam || workspaceUrl;
-        // Ensure returnTo URL has a fragment to prevent OAuth token inheritance attacks
-        const returnTo = ensureUrlHasFragment(returnToParam);
+        const returnTo = returnToParam;
 
         const host: string = req.query.host?.toString() || "";
         const authProvider = host && (await this.getAuthProviderForHost(host));
         if (!host || !authProvider) {
             log.info(`Bad request: missing parameters.`, { "login-flow": true });
-            res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
+            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
         // Logins with organizational Git Auth is not permitted
@@ -213,12 +211,12 @@ export class Authenticator {
                 "authorize-flow": true,
                 ap: authProvider.info,
             });
-            res.redirect(this.getSorryUrl(`Login with "${host}" is not permitted.`));
+            safeRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
             return;
         }
         if (this.config.disableDynamicAuthProviderLogin && !authProvider.params.builtin) {
             log.info(`Auth Provider is not allowed.`, { ap: authProvider.info });
-            res.redirect(this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));
+            safeRedirect(res, this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));
             return;
         }
 
@@ -228,7 +226,7 @@ export class Authenticator {
                 "login-flow": true,
                 ap: authProvider.info,
             });
-            res.redirect(this.getSorryUrl(`Login with "${host}" is not permitted.`));
+            safeRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
             return;
         }
 
@@ -250,7 +248,7 @@ export class Authenticator {
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
             log.info(`User is not authenticated.`);
-            res.redirect(this.getSorryUrl(`Not authenticated. Please login.`));
+            safeRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
         const returnTo: string = req.query.returnTo?.toString() || this.config.hostUrl.asDashboard().toString();
@@ -260,20 +258,21 @@ export class Authenticator {
 
         if (!host || !authProvider) {
             log.warn(`Bad request: missing parameters.`);
-            res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
+            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
 
         try {
             await this.userAuthentication.deauthorize(user, authProvider.authProviderId);
-            res.redirect(returnTo);
+            safeRedirect(res, returnTo);
         } catch (error) {
             next(error);
             log.error(`Failed to disconnect a provider.`, error, {
                 host,
                 userId: user.id,
             });
-            res.redirect(
+            safeRedirect(
+                res,
                 this.getSorryUrl(
                     `Failed to disconnect a provider: ${error && error.message ? error.message : "unknown reason"}`,
                 ),
@@ -285,12 +284,13 @@ export class Authenticator {
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
             log.info(`User is not authenticated.`, { "authorize-flow": true });
-            res.redirect(this.getSorryUrl(`Not authenticated. Please login.`));
+            safeRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
         if (user.id === BUILTIN_INSTLLATION_ADMIN_USER_ID) {
             log.info(`Authorization is not permitted for admin user.`);
-            res.redirect(
+            safeRedirect(
+                res,
                 this.getSorryUrl(`Authorization is not permitted for admin user. Please login with a user account.`),
             );
             return;
@@ -303,7 +303,7 @@ export class Authenticator {
 
         if (!returnToParam || !host || !authProvider) {
             log.info(`Bad request: missing parameters.`, { "authorize-flow": true });
-            res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
+            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
 
@@ -319,12 +319,11 @@ export class Authenticator {
                 "authorize-flow": true,
                 strictValidation: isStrictAuthorizeValidationEnabled,
             });
-            res.redirect(this.getSorryUrl(`Invalid return URL.`));
+            safeRedirect(res, this.getSorryUrl(`Invalid return URL.`));
             return;
         }
 
-        // Ensure returnTo URL has a fragment to prevent OAuth token inheritance attacks
-        const returnTo = ensureUrlHasFragment(returnToParam);
+        const returnTo = returnToParam;
 
         // For non-verified org auth provider, ensure user is an owner of the org
         if (!authProvider.info.verified && authProvider.info.organizationId) {
@@ -334,7 +333,7 @@ export class Authenticator {
                     "authorize-flow": true,
                     ap: authProvider.info,
                 });
-                res.redirect(this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+                safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
                 return;
             }
         }
@@ -345,7 +344,7 @@ export class Authenticator {
                 "authorize-flow": true,
                 ap: authProvider.info,
             });
-            res.redirect(this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+            safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
             return;
         }
 
@@ -357,7 +356,7 @@ export class Authenticator {
                     "authorize-flow": true,
                     ap: authProvider.info,
                 });
-                res.redirect(this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+                safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
                 return;
             }
         }
@@ -411,6 +410,6 @@ export class Authenticator {
         return [];
     }
     private getSorryUrl(message: string) {
-        return ensureUrlHasFragment(this.config.hostUrl.asSorry(message).toString());
+        return this.config.hostUrl.asSorry(message).toString();
     }
 }

components/server/src/auth/generic-auth-provider.ts

@@ -23,7 +23,7 @@ import {
     UnconfirmedUserException,
 } from "../auth/errors";
 import { Config } from "../config";
-import { getRequestingClientInfo } from "../express-util";
+import { getRequestingClientInfo, safeRedirect } from "../express-util";
 import { TokenProvider } from "../user/token-provider";
 import { UserAuthentication } from "../user/user-authentication";
 import { AuthProviderService } from "./auth-provider-service";
@@ -287,7 +287,8 @@ export abstract class GenericAuthProvider implements AuthProvider {
         const state = request.query.state;
         if (!state) {
             log.error(cxt, `(${strategyName}) No state present on callback request.`, { clientInfo });
-            response.redirect(
+            safeRedirect(
+                response,
                 this.getSorryUrl(`No state was present on the authentication callback. Please try again.`),
             );
             return;
@@ -298,7 +299,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
             log.error(`(${strategyName}) Auth flow state is missing.`);
 
             reportLoginCompleted("failed", "git");
-            response.redirect(this.getSorryUrl(`Auth flow state is missing.`));
+            safeRedirect(response, this.getSorryUrl(`Auth flow state is missing.`));
             return;
         }
 
@@ -309,7 +310,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                     `(${strategyName}) User is already logged in. No auth info provided. Redirecting to dashboard.`,
                     { clientInfo },
                 );
-                response.redirect(this.config.hostUrl.asDashboard().toString());
+                safeRedirect(response, this.config.hostUrl.asDashboard().toString());
                 return;
             }
         }
@@ -320,15 +321,15 @@ export abstract class GenericAuthProvider implements AuthProvider {
             reportLoginCompleted("failed_client", "git");
 
             log.error(cxt, `(${strategyName}) No session found during auth callback.`, { clientInfo });
-            response.redirect(this.getSorryUrl(`Please allow Cookies in your browser and try to log in again.`));
+            safeRedirect(response, this.getSorryUrl(`Please allow Cookies in your browser and try to log in again.`));
             return;
         }
 
         if (authFlow.host !== this.host) {
             reportLoginCompleted("failed", "git");
 
             log.error(cxt, `(${strategyName}) Host does not match.`, { clientInfo });
-            response.redirect(this.getSorryUrl(`Host does not match.`));
+            safeRedirect(response, this.getSorryUrl(`Host does not match.`));
             return;
         }
 
@@ -359,7 +360,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                 authenticate(request, response, next);
             });
         } catch (error) {
-            response.redirect(this.getSorryUrl(`OAuth2 error. (${error})`));
+            safeRedirect(response, this.getSorryUrl(`OAuth2 error. (${error})`));
             return;
         }
         const [err, userOrIdentity, flowContext] = result;
@@ -471,7 +472,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                     );
 
                     const { returnTo } = authFlow;
-                    response.redirect(returnTo);
+                    safeRedirect(response, returnTo);
                     return;
                 } else {
                     // Complete login into an existing account
@@ -536,7 +537,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                 search: "message=error:" + Buffer.from(JSON.stringify(error), "utf-8").toString("base64"),
             })
             .toString();
-        response.redirect(url);
+        safeRedirect(response, url);
     }
 
     /**

components/server/src/auth/login-completion-handler.ts

@@ -16,7 +16,7 @@ import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { trackLogin } from "../analytics";
 import { SessionHandler } from "../session-handler";
 import { AuthJWT } from "./jwt";
-import { ensureUrlHasFragment } from "./fragment-utils";
+import { safeRedirect } from "../express-util";
 
 /**
  * The login completion handler pulls the strings between the OAuth2 flow, the ToS flow, and the session management.
@@ -50,15 +50,13 @@ export class LoginCompletionHandler {
         } catch (err) {
             reportLoginCompleted("failed", "git");
             log.error(logContext, `Failed to login user. Redirecting to /sorry on login.`, err);
-            response.redirect(this.config.hostUrl.asSorry("Oops! Something went wrong during login.").toString());
+            safeRedirect(response, this.config.hostUrl.asSorry("Oops! Something went wrong during login.").toString());
             return;
         }
 
         // Update session info
         const returnToParam = returnToUrl || this.config.hostUrl.asDashboard().toString();
-
-        // Ensure returnTo URL has a fragment to prevent OAuth token inheritance attacks
-        let returnTo = ensureUrlHasFragment(returnToParam);
+        let returnTo = returnToParam;
 
         if (elevateScopes) {
             const elevateScopesUrl = this.config.hostUrl
@@ -91,7 +89,7 @@ export class LoginCompletionHandler {
 
         log.info(logContext, `User is logged in successfully. Redirect to: ${returnTo}`);
         reportLoginCompleted("succeeded", "git");
-        response.redirect(returnTo);
+        safeRedirect(response, returnTo);
     }
 
     public async updateAuthProviderAsVerified(hostname: string, user: User) {

components/server/src/express-util.ts

@@ -9,6 +9,7 @@ import express from "express";
 import * as crypto from "crypto";
 import { IncomingHttpHeaders } from "http";
 import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
+import { ensureUrlHasFragment } from "./auth/fragment-utils";
 
 export const query = (...tuples: [string, string][]) => {
     if (tuples.length === 0) {
@@ -236,3 +237,24 @@ export function validateAuthorizeReturnToUrl(returnTo: string, hostUrl: GitpodHo
 
     return validateReturnToUrlWithPatterns(returnTo, hostUrl, allowedPatterns);
 }
+
+/**
+ * Safe redirect wrapper that automatically ensures URLs have fragments to prevent
+ * OAuth token inheritance attacks.
+ *
+ * When OAuth providers redirect with tokens in URL fragments, browsers inherit
+ * fragments from the current page if the target URL doesn't have one. This wrapper
+ * automatically applies fragment protection to all redirects.
+ *
+ * @param res Express response object
+ * @param url URL to redirect to
+ * @param status Optional HTTP status code (default: 302)
+ */
+export function safeRedirect(res: express.Response, url: string, status?: number): void {
+    const protectedUrl = ensureUrlHasFragment(url);
+    if (status) {
+        res.redirect(status, protectedUrl);
+    } else {
+        res.redirect(protectedUrl);
+    }
+}

components/server/src/oauth-server/oauth-controller.ts

@@ -14,6 +14,7 @@ import express from "express";
 import { inject, injectable } from "inversify";
 import { URL } from "url";
 import { Config } from "../config";
+import { safeRedirect } from "../express-util";
 import { clientRepository, createAuthorizationServer } from "./oauth-authorization-server";
 import { inMemoryDatabase, toolboxClient } from "./db";
 import { getFeatureFlagEnableExperimentalJBTB } from "../util/featureflags";
@@ -28,7 +29,7 @@ export class OAuthController {
         if (!req.isAuthenticated() || !User.is(req.user)) {
             const returnToPath = encodeURIComponent(`/api${req.originalUrl}`);
             const redirectTo = `${this.config.hostUrl}login?returnToPath=${returnToPath}`;
-            res.redirect(redirectTo);
+            safeRedirect(res, redirectTo);
             return null;
         }
         const user = req.user as User;
@@ -88,7 +89,7 @@ export class OAuthController {
 
             const redirectUri = new URL(req.query.redirect_uri);
             redirectUri.searchParams.append("approved", "no");
-            res.redirect(redirectUri.toString());
+            safeRedirect(res, redirectUri.toString());
             return false;
         } else if (wasApproved == "yes") {
             const additionalData = (user.additionalData = user.additionalData || {});
@@ -104,7 +105,7 @@ export class OAuthController {
                 if (client) {
                     const returnToPath = encodeURIComponent(`/api${req.originalUrl}`);
                     const redirectTo = `${this.config.hostUrl}oauth-approval?clientID=${client.id}&clientName=${client.name}&returnToPath=${returnToPath}`;
-                    res.redirect(redirectTo);
+                    safeRedirect(res, redirectTo);
                     return false;
                 } else {
                     log.error(`/oauth/authorize unknown client id: "${clientID}"`);