Skip to content

fix: prevent XSS in returnToPath parameter by validating protocol #20965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

fix: prevent XSS in returnToPath parameter by validating protocol #20965

merged 1 commit into from
Jul 22, 2025
+9 −1

Conversation

@iQQBot
Copy link
Contributor

@iQQBot iQQBot commented Jul 22, 2025
edited by github-actions bot
Loading

Description

Fixed a DOM XSS vulnerability in the returnToPath parameter validation. The vulnerability allowed attackers to bypass security checks using javascript: protocol URLs with matching hostnames (e.g., javascript://gitpod.io/%250a{{malicious code}}).

The fix adds protocol validation to ensure only HTTPS URLs with matching hostnames are trusted.

Related Issue(s)

Fixes #CLC-1594

How to test

  1. Navigate to the login page with a malicious returnToPath parameter:
    /login?returnToPath=javascript://gitpod.io/%250aalert(1)
  2. Verify the redirect is blocked (check console for "Untrusted URL" warning)
  3. Test legitimate redirects still work:
  • /login?returnToPath=/workspaces
  • /login?returnToPath=https://gitpod.io/dashboard
  1. Run the unit tests: cd components/dashboard && npm test -- src/utils.test.ts

Documentation

No documentation changes required - this is a security fix that doesn't change user-facing functionality.

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

@iQQBot @claude
fix: prevent XSS in returnToPath parameter by validating protocol
2cf2d90 
The returnToPath parameter validation was vulnerable to XSS attacks using
javascript: protocol URLs with matching hostnames (e.g., javascript://gitpod.io/).
This fix ensures only HTTPS URLs with matching hostnames are trusted.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@iQQBot iQQBot requested review from a team as code owners July 22, 2025 10:17
geropl
geropl approved these changes Jul 22, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! ✔️

@roboquat roboquat merged commit 6b9ed2c into main Jul 22, 2025
35 checks passed
@roboquat roboquat deleted the pd/CLC-1594 branch July 22, 2025 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl approved these changes

Assignees

No one assigned

Labels

size/S team: team-enterprise team: team-experience

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@iQQBot @geropl @roboquat