-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow hosts redirects from hosts
Rails configuration
#45680
base: main
Are you sure you want to change the base?
Conversation
@@ -11,6 +11,7 @@ class UnsafeRedirectError < StandardError; end | |||
|
|||
included do | |||
mattr_accessor :raise_on_open_redirects, default: false | |||
mattr_accessor :redirect_hosts_allowed, default: [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this accessor is a collection of hosts, what do you think about renaming the accessor?
mattr_accessor :redirect_hosts_allowed, default: [] | |
mattr_accessor :allowed_redirect_hosts, default: [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it's better! I changed that 👍🏻
f8179f5
to
edbaad2
Compare
@p8 Is there anything else I can do about this PR? |
I have a similar setup and in particular one domain is in charge of authentication and redirecting to the other domain after auth. This is further complicated because the redirect is within Devise and |
82c5bd3
to
f2ed371
Compare
@@ -1,3 +1,7 @@ | |||
* Allow hosts redirects from `hosts` Rails configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think providing an example in the changelog would be nice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What example would you like to view here?
This PR only fixes the raise of UnsafeRedirectError
when redirecting to an allowed hosts from config.hosts
.
@@ -198,6 +199,7 @@ def _url_host_allowed?(url) | |||
host = URI(url.to_s).host | |||
|
|||
return true if host == request.host | |||
return true if ActionDispatch::HostAuthorization::Permissions.new(allowed_redirect_hosts).allows?(host) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like an anti-pattern to me, like the list of allowed hosts should be known before we get here or evaluated lazily. Might just be me though 🤔
Any update on this feature? We've run into the same issue, where we frequently want to redirect between two subdomains. Currently the only option is to disable this security feature and verify manually that the URL is safe. Additionally, what's odd is that the |
Hi @Kevinrob, thanks for getting started with this PR, would you be able to get it across the line? There are a couple of sensible comments from @zzak and a build failure - hopefully they are both straightforward to address? We'd like to see this added to Rails as we are also hitting an unsafe redirect during our authentication flow in the same way as apokalipto/devise_saml_authenticatable#237 - adding our identity provider's hostname to |
5280793
to
a3e1537
Compare
Hi @owst, I just rebased the PR against |
…nfiguration_hosts
Summary
We use Rails with multiple domains (and subdomains). All these domains are configured with
config.hosts
.Sometimes we have dynamic redirect from one domain to an other.
And
ActionController::Redirecting::UnsafeRedirectError
is raised.It would be great to allow redirections to domains that the app accept in
config.hosts
.This should not be considered as unsafe.
Other Information