Merge 8fe26b3 into 0db4b56

inveniosoftware · Feb 26, 2019 · db17542 · db17542
2 parents 0db4b56 + 8fe26b3
commit db17542
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/invenio_oauthclient/utils.py b/invenio_oauthclient/utils.py
@@ -19,7 +19,7 @@
 from invenio_db import db
 from invenio_db.utils import rebuild_encrypted_properties
 from sqlalchemy.exc import IntegrityError
-from uritools import urisplit
+from uritools import uricompose, urisplit
 from werkzeug.local import LocalProxy
 from werkzeug.utils import import_string
 from wtforms.fields.core import FormField
@@ -157,7 +157,11 @@ def get_safe_redirect_target(arg='next'):
             if redirect_uri.host in allowed_hosts:
                 return target
             elif redirect_uri.path:
-                return redirect_uri.path
+                return uricompose(
+                    path=redirect_uri.path,
+                    query=redirect_uri.query,
+                    fragment=redirect_uri.fragment
+                )
     return None
 
 

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -82,6 +82,7 @@ def base_app(request):
         SQLALCHEMY_TRACK_MODIFICATIONS=False,
         SECURITY_PASSWORD_HASH='plaintext',
         SECURITY_PASSWORD_SCHEMES=['plaintext'],
+        APP_ALLOWED_HOSTS=['localhost']
     )
     FlaskMenu(base_app)
     Babel(base_app)

diff --git a/tests/test_utils.py b/tests/test_utils.py
@@ -15,13 +15,15 @@
 import pytest
 from flask_security.confirmable import _security
 from invenio_db import db
+from uritools import uriencode
 
 from invenio_oauthclient.errors import AlreadyLinkedError
 from invenio_oauthclient.models import RemoteAccount, RemoteToken
 from invenio_oauthclient.utils import _get_external_id, \
     create_csrf_disabled_registrationform, create_registrationform, \
-    fill_form, oauth_authenticate, oauth_get_user, oauth_link_external_id, \
-    oauth_unlink_external_id, obj_or_import_string, rebuild_access_tokens
+    fill_form, get_safe_redirect_target, oauth_authenticate, oauth_get_user, \
+    oauth_link_external_id, oauth_unlink_external_id, obj_or_import_string, \
+    rebuild_access_tokens
 
 
 def test_utilities(models_fixture):
@@ -175,6 +177,19 @@ def test_registrationform_userprofile_disable_csrf(app_with_userprofiles_csrf,
     _assert_no_csrf_token(filled_form)
 
 
+@pytest.mark.parametrize("test_input,expected", [
+    ('https://invenio.org/search?page=1&q=&keywords=taxonomy&keywords=animali',
+     '/search?page=1&q=&keywords=taxonomy&keywords=animali'),
+    ('/search?page=1&size=20',
+     '/search?page=1&size=20'),
+    ('https://localhost/search?page=1',
+     'https://localhost/search?page=1'),
+])
+def test_get_safe_redirect_target(app, test_input, expected):
+    with app.test_request_context('/?next={0}'.format(uriencode(test_input))):
+        assert get_safe_redirect_target() == expected
+
+
 def _assert_csrf_token(form):
     """Assert that the field `csrf_token` exists in the form."""
     assert 'csrf_token' in form