[MNY-310] Dashboard: Improve login redirect path validation

[MananTank]

---

PR-Codex overview

This PR modifies the isValidEncodedRedirectPath function to enhance validation of the decoded path by checking if it starts with a single slash and ensuring the hostname is thirdweb.com.

Detailed summary

• Removed comments about decoding and path validation.
• Added a check to return false if the decodedPath does not start with a /.
• Introduced a URL object to validate that the hostname is thirdweb.com.
• Simplified the return logic for valid paths.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Bug Fixes
  • Strengthened login redirect validation: decoded redirect paths are now checked more robustly and only allow routes verified as belonging to the official domain. Invalid or malformed redirects are blocked.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
thirdweb-www	Ready	Preview	Comment	Nov 17, 2025 1:17pm

4 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Skipped			Nov 17, 2025 1:17pm
nebula	Skipped			Nov 17, 2025 1:17pm
thirdweb_playground	Skipped			Nov 17, 2025 1:17pm
wallet-ui	Skipped			Nov 17, 2025 1:17pm

[linear]

MNY-310 Fix Vulnerability report for open redirect issue

[changeset-bot]

⚠️ No Changeset found

Latest commit: c63ef1c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[MananTank]

• [MNY-310] Dashboard: Improve login redirect path validation #8422 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Walkthrough

Decoded redirect path is validated by decoding the input, requiring the decoded path to start with "/", resolving it against the base URL "https://thirdweb.com", and returning true only if the resulting URL's hostname equals "thirdweb.com". Decode or URL construction failures return false.

Changes

Cohort / File(s)	Summary
Redirect validation apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts	Decode input, require decoded path to start with "/", construct a URL with base https://thirdweb.com, and return true only if url.hostname === "thirdweb.com". Preserve error handling: decode/URL errors → false.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Caller
    participant Validator as isValidEncodedRedirectPath
    participant URL as URL constructor

    Caller->>Validator: provide encodedPath
    Validator->>Validator: try decodeURIComponent(encodedPath)
    alt decode failed
        Validator-->>Caller: return false
    else decode succeeded
        Validator->>Validator: if not decoded.startsWith("/")
        alt not start with "/"
            Validator-->>Caller: return false
        else starts with "/"
            Validator->>URL: new URL(decoded, "https://thirdweb.com")
            alt URL construction failed
                Validator-->>Caller: return false
            else URL built
                Validator->>Validator: check url.hostname === "thirdweb.com"
                alt hostname matches
                    Validator-->>Caller: return true
                else mismatch
                    Validator-->>Caller: return false
                end
            end
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Inspect handling of percent-encoded slashes and characters (e.g., %2F, %5C) to ensure decoding doesn't permit bypasses.
• Verify protocol-relative or internationalized hostnames cannot cause hostname mismatch bypasses.
• Confirm the hardcoded base https://thirdweb.com is appropriate for all redirect contexts.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The description includes a PR-Codex summary explaining the changes but lacks required template sections like 'Notes for the reviewer' and 'How to test' that are specified in the repository template.	Complete the PR description by adding 'Notes for the reviewer' section highlighting security implications and 'How to test' section with testing instructions (unit tests, manual validation, etc.).

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: improving login redirect path validation, which directly aligns with the primary objective of fixing an open redirect vulnerability.
Linked Issues check	✅ Passed	The PR successfully addresses the linked issue MNY-310 by implementing validation that constrains redirects to thirdweb.com domain and requires valid path format (single leading slash), directly fixing the reported open redirect vulnerability.
Out of Scope Changes check	✅ Passed	All changes are focused on the isValidEncodedRedirectPath function to address the open redirect vulnerability; no out-of-scope modifications detected.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mny-310

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cd6b912 and c63ef1c.

📒 Files selected for processing (1)

• apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-06-05T13:59:49.886Z

Learnt from: MananTank
Repo: thirdweb-dev/js PR: 7285
File: apps/dashboard/src/app/(app)/(dashboard)/published-contract/components/uri-based-deploy.tsx:57-57
Timestamp: 2025-06-05T13:59:49.886Z
Learning: In the thirdweb dashboard Next.js app, when using loginRedirect() in server components, ensure to add a return statement after the redirect call to prevent further code execution and potential security issues.

Applied to files:

• apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Size
• GitHub Check: Unit Tests
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)

🔇 Additional comments (2)

apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts (2)

7-8: Security implementation looks solid.

The approach of using the URL constructor with a base URL and validating the resulting hostname is robust and handles various attack vectors correctly:

• Rejects protocol-relative URLs (//evil.com)
• Rejects absolute URLs (https://evil.com)
• Handles encoded slashes after decoding
• Provides consistent parsing across environments

---

4-8: The original review comment is based on a misunderstanding of the function's purpose and behavior.

The isValidEncodedRedirectPath function is designed to validate relative paths only, not absolute URLs. The first check if (!decodedPath.startsWith("/")) immediately rejects any absolute URL, including those pointing to subdomains like https://dashboard.thirdweb.com. The function's use of new URL(decodedPath, "https://thirdweb.com") is purely for validation logic to detect encoding-based attacks—it's not intended to support subdomain redirects. The actual redirect is a relative path passed to router.replace(), which is correct behavior for preventing open redirect vulnerabilities. No subdomain redirects exist in the codebase, and the current implementation is secure and working as intended.

Likely an incorrect or invalid review comment.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.85%. Comparing base (c7ff3b1) to head (c63ef1c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8422   +/-   ##
=======================================
  Coverage   54.85%   54.85%           
=======================================
  Files         919      919           
  Lines       60853    60853           
  Branches     4142     4142           
=======================================
  Hits        33378    33378           
  Misses      27373    27373           
  Partials      102      102           

Flag	Coverage Δ
packages	54.85% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

size-limit report 📦

Path	Size
@thirdweb-dev/nexus (esm)	104.88 KB (0%)
@thirdweb-dev/nexus (cjs)	316.6 KB (0%)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts (1)

4-8: Strong security improvement for preventing open redirects.

The validation logic effectively prevents open redirect attacks by:

1. Ensuring the decoded path is relative (starts with "/")
2. Resolving it against the thirdweb.com base URL
3. Verifying the resulting hostname remains "thirdweb.com"

This correctly handles several attack vectors:

• Protocol-relative URLs (//evil.com) pass the first check but fail the hostname verification
• Absolute URLs without "/" are rejected immediately
• Path traversal attempts normalize to paths on thirdweb.com
• Query parameters and fragments remain safe

Optional enhancement: Consider making the protocol-relative URL rejection more explicit by checking that the path does not start with "//":

 const decodedPath = decodeURIComponent(encodedPath);
-if (!decodedPath.startsWith("/")) {
+if (!decodedPath.startsWith("/") || decodedPath.startsWith("//")) {
   return false;
 }

While the current implementation already prevents "//" paths via the hostname check, an explicit rejection would make the security intent clearer and provide defense in depth.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c22c7dc and cd6b912.

📒 Files selected for processing (1)

• apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-06-05T13:59:49.886Z

Learnt from: MananTank
Repo: thirdweb-dev/js PR: 7285
File: apps/dashboard/src/app/(app)/(dashboard)/published-contract/components/uri-based-deploy.tsx:57-57
Timestamp: 2025-06-05T13:59:49.886Z
Learning: In the thirdweb dashboard Next.js app, when using loginRedirect() in server components, ensure to add a return statement after the redirect call to prevent further code execution and potential security issues.

Applied to files:

• apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Size

🔇 Additional comments (1)

apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts (1)

1-13: Verification confirms the function is correctly integrated into the redirect flow.

The function is imported and called in the login page server component, where it validates the redirect path before passing it to the client component. The validated path is then used safely in router.replace() within the client component. No alternative redirect implementations or bypass paths were found in the login directory. The implementation follows security best practices with server-side validation preceding client-side usage.

[graphite-app]

Merge activity

• Nov 17, 1:09 PM UTC: MananTank added this pull request to the Graphite merge queue.
• Nov 17, 1:17 PM UTC: Merged by the Graphite merge queue.