Skip to content

Safe redirect action#7695

Merged
labkey-adam merged 4 commits into
release26.3-SNAPSHOTfrom
26.3_fb_safe_redirect
May 28, 2026
Merged

Safe redirect action#7695
labkey-adam merged 4 commits into
release26.3-SNAPSHOTfrom
26.3_fb_safe_redirect

Conversation

@labkey-adam
Copy link
Copy Markdown
Contributor

@labkey-adam labkey-adam commented May 25, 2026
edited
Loading

Rationale

Simple server-side action to help with https://github.com/LabKey/internal-issues/issues/1023

Tasks 📍

  • Claude Code Review
  • Code Review
  • Manual Testing (server action) @cnathe
  • Manual Testing (client) @labkey-adam

Testing and verification of the issue fix will come after the client changes are implemented.

Related PR

@labkey-adam labkey-adam requested a review from cnathe May 25, 2026 18:08
@cnathe
Update window.location.href returnUrl usages to call core-safeRedirec…
43b7ae8 
…t instead

- note: I added a TODO for refactoring this but that should wait until we merge to develop since it will save us from having to bump the package version in 26.3 for this
cnathe
cnathe reviewed May 27, 2026
View reviewed changes
Comment thread core/src/client/AssayDesigner/AssayDesigner.tsx

window.location.href = this.state.returnUrl || defaultUrl;
const redirectUrl = this.state.returnUrl || defaultUrl;
// TODO refactor this and other usages in platform/core/src/client to a helper safeRedirect() function from @labkey/components
Copy link
Copy Markdown
Contributor

@cnathe cnathe May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as noted in the commit message, I'll wait until this gets merged to develop to address this TODO so that I don't need to bump @labkey/components for this branch (and have to handle the merge forward conflicts)

labkey-susanh
labkey-susanh reviewed May 27, 2026
View reviewed changes
Comment thread core/src/org/labkey/core/CoreController.java
}

// Called by various client components to ensure safe redirects, GitHub Issue #1023. This action redirects to
// local URLs only, never to an external site, even if the host is on the "Allowed External Redirect Hosts" list.
Copy link
Copy Markdown
Contributor

@labkey-susanh labkey-susanh May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is it that assures this uses local URLs only? Doesn't seem to be codified here.

Copy link
Copy Markdown
Contributor Author

@labkey-adam labkey-adam May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First, ActionURL is guaranteed to be a local URL. You can give it an external URL and it'll ignore the schema, host, and port, always using the local AppProps values (e.g., when calling getURIString()). Second, SimpleRedirectAction throws RedirectException, which now guarantees a local redirect. This is the result of a recent refactor I did to tighten up our server-side redirect handling. The only way to redirect externally now is via ExternalRedirectException (which ensures an allowed host) or UnsafeExternalRedirectException (where caller is responsible for ensuring the URL is safe).

Copy link
Copy Markdown
Contributor

@labkey-susanh labkey-susanh May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Adam!

Copy link
Copy Markdown
Contributor Author

@labkey-adam labkey-adam May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: I expanded the action's comment to lay out the safety guarantees similar to the above

@cnathe cnathe mentioned this pull request May 28, 2026
Merged
@labkey-adam labkey-adam merged commit f50a7f6 into release26.3-SNAPSHOT May 28, 2026
7 of 9 checks passed
@labkey-adam labkey-adam deleted the 26.3_fb_safe_redirect branch May 28, 2026 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cnathe cnathe cnathe left review comments

@labkey-susanh labkey-susanh labkey-susanh approved these changes

@labkey-nicka labkey-nicka Awaiting requested review from labkey-nicka

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@labkey-adam @cnathe @labkey-susanh