[dashboard, server] Backport security fix from #20152

ENT-735

Author: geropl

components/dashboard/src/OauthClientApproval.tsx

@@ -6,6 +6,7 @@
 
 import gitpodIcon from "./icons/gitpod.svg";
 import { getSafeURLRedirect } from "./provider-utils";
+import { isTrustedUrlOrPath } from "./utils";
 
 export default function OAuthClientApproval() {
     const params = new URLSearchParams(window.location.search);
@@ -18,8 +19,12 @@ export default function OAuthClientApproval() {
     const updateClientApproval = async (isApproved: boolean) => {
         if (redirectTo === "/") {
             window.location.replace(redirectTo);
+            return;
+        }
+        const url = `${redirectTo}&approved=${isApproved ? "yes" : "no"}`;
+        if (isTrustedUrlOrPath(url)) {
+            window.location.replace(url);
         }
-        window.location.replace(`${redirectTo}&approved=${isApproved ? "yes" : "no"}`);
     };
 
     return (

components/dashboard/src/provider-utils.tsx

@@ -8,6 +8,7 @@ import bitbucket from "./images/bitbucket.svg";
 import github from "./images/github.svg";
 import gitlab from "./images/gitlab.svg";
 import { gitpodHostUrl } from "./service/service";
+import { isTrustedUrlOrPath } from "./utils";
 
 function iconForAuthProvider(type: string) {
     switch (type) {
@@ -121,11 +122,10 @@ const getSafeURLRedirect = (source?: string) => {
     const returnToURL: string | null = new URLSearchParams(source ? source : window.location.search).get("returnTo");
     if (returnToURL) {
         // Only allow oauth on the same host
-        if (
-            returnToURL
-                .toLowerCase()
-                .startsWith(`${window.location.protocol}//${window.location.host}/api/oauth/`.toLowerCase())
-        ) {
+        const sameHost = returnToURL
+            .toLowerCase()
+            .startsWith(`${window.location.protocol}//${window.location.host}/api/oauth/`.toLowerCase());
+        if (sameHost && isTrustedUrlOrPath(returnToURL)) {
             return returnToURL;
         }
     }

components/dashboard/src/utils.test.ts

@@ -4,10 +4,10 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
-import { inResource } from "./utils";
+import { getURLHash } from "./App";
+import { inResource, isTrustedUrlOrPath } from "./utils";
 
 test("inResource", () => {
-
     // Given root path is a part of resources specified
     expect(inResource("/app", ["new", "app", "teams"])).toBe(true);
 
@@ -25,5 +25,29 @@ test("inResource", () => {
 
     // Both resources containing path with subdirectories
     expect(inResource("/admin/teams/someTeam/somePerson", ["/admin/teams"])).toBe(true);
+});
 
+test("urlHash and isTrustedUrlOrPath", () => {
+    global.window = Object.create(window);
+    Object.defineProperty(window, "location", {
+        value: {
+            hash: "#https://example.org/user/repo",
+            hostname: "example.org",
+        },
+    });
+
+    expect(getURLHash()).toBe("https://example.org/user/repo");
+
+    const isTrustedUrlOrPathCases: { location: string; trusted: boolean }[] = [
+        { location: "https://example.org/user/repo", trusted: true },
+        { location: "https://example.org/user", trusted: true },
+        { location: "https://example2.org/user", trusted: false },
+        { location: "/api/hello", trusted: true },
+        { location: "/", trusted: true },
+        // eslint-disable-next-line no-script-url
+        { location: "javascript:alert(1)", trusted: false },
+    ];
+    isTrustedUrlOrPathCases.forEach(({ location, trusted }) => {
+        expect(isTrustedUrlOrPath(location)).toBe(trusted);
+    });
 });

components/dashboard/src/utils.ts

@@ -79,3 +79,20 @@ export function inResource(pathname: string, resources: string[]): boolean {
     // E.g. "api/userspace/resource" path is a part of resource "api/userspace"
     return resources.map((res) => trimmedResource.startsWith(trimResource(res))).some(Boolean);
 }
+
+function parseUrl(url: string): URL | null {
+    try {
+        return new URL(url);
+    } catch (_) {
+        return null;
+    }
+}
+
+export function isTrustedUrlOrPath(urlOrPath: string) {
+    const url = parseUrl(urlOrPath);
+    const isTrusted = url ? window.location.hostname === url.hostname : urlOrPath.startsWith("/");
+    if (!isTrusted) {
+        console.warn("Untrusted URL", urlOrPath);
+    }
+    return isTrusted;
+}