Fix tab character open redirect

[cfbender]

Description

Fixes an open redirect vulnerability via the returnTo parameter, via checking for whitespace characters.

Chrome based browsers (in my testing) will trim off the tab character for a redirect, as defined in the URL parser spec. This leads to an open redirect through returnTo by setting it to something like /%09/google.com.

You can test this in chrome by executing the following in the console:

window.location.href = '/\x09/google.com'

Testing

Include returnTo=/%09/google.com in the login, it should fail with this change.

• This change adds test coverage for new/changed/fixed functionality

Checklist

• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not main

[vercel]

@cfbender is attempting to deploy a commit to the Auth0 Team on Vercel.

A member of the Team first needs to authorize it.

[adamjmcgrath]

Hi @cfbender - thanks for raising this, much appreciated!

We're working on a slightly different fix for this right now, and will raise another PR shortly

In future, we kindly ask that you use the Responsible Disclosure Program to report security issues

[cfbender]

@adamjmcgrath my mistake, thank you so much for pointing me toward that! I had no idea that was a thing. I will absolutely keep that in mind for this and other projects.

Thanks for your diligent response as well!