Skip to content

[Backport 4.2.x] Harden login redirect URL validation#9309

Merged
josegar74 merged 2 commits into
4.2.xfrom
backport-9307-to-4.2.x
Jun 1, 2026
Merged

[Backport 4.2.x] Harden login redirect URL validation#9309
josegar74 merged 2 commits into
4.2.xfrom
backport-9307-to-4.2.x

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 1, 2026

Backport #9307
Authored by: @juanluisrp

juanluisrp added 2 commits June 1, 2026 09:54
@juanluisrp @github-actions
Harden login redirect URL validation
4cd41e3 
Centralise the validation of the post-login redirectUrl into a shared
RedirectUtil helper and use it from the OIDC and Keycloak authentication
filters. Only server-local relative paths are honoured; anything else
falls back to the application context home.

Add unit tests covering the accepted and rejected redirect targets.
@juanluisrp @github-actions
Rename relative-only redirect check to isRelativeRedirect
a5b938b 
The single-argument isSafeRedirect only accepts server-local relative
paths, while the four-argument overload also honours same-site absolute
URLs. Naming both isSafeRedirect made the distinction unclear at the call
sites.

Rename the single-argument method to isRelativeRedirect to make its
narrower contract explicit, and update the internal callers and tests
accordingly. The four-argument overload keeps the isSafeRedirect name.
@josegar74 josegar74 added this to the 4.2.16 milestone Jun 1, 2026
@josegar74 josegar74 merged commit 0d74f67 into 4.2.x Jun 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.2.16

Development

Successfully merging this pull request may close these issues.

2 participants

@josegar74 @juanluisrp