From dab36a97442c42ec8aff13c319ea6dce6bc89671 Mon Sep 17 00:00:00 2001
From: sriram veeraghanta <veeraghanta.sriram@gmail.com>
Date: Wed, 10 Sep 2025 14:56:19 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 636: URL
 redirection from remote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 apps/api/plane/utils/path_validator.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/apps/api/plane/utils/path_validator.py b/apps/api/plane/utils/path_validator.py
index ba81e9cabff..aad28239feb 100644
--- a/apps/api/plane/utils/path_validator.py
+++ b/apps/api/plane/utils/path_validator.py
@@ -3,18 +3,20 @@
 
 
 def validate_next_path(next_path: str) -> str:
-    """Validates that next_path is a valid path and extracts only the path component."""
+    """Validates that next_path is a safe relative path for redirection."""
+    # Browsers interpret backslashes as forward slashes. Remove all backslashes.
+    next_path = next_path.replace("\\", "")
     parsed_url = urlparse(next_path)
 
-    # Ensure next_path is not an absolute URL
+    # Block absolute URLs or anything with scheme/netloc
     if parsed_url.scheme or parsed_url.netloc:
         next_path = parsed_url.path  # Extract only the path component
 
-    # Ensure it starts with a forward slash (indicating a valid relative path)
-    if not next_path.startswith("/"):
+    # Must start with a forward slash and not be empty
+    if not next_path or not next_path.startswith("/"):
         return ""
 
-    # Ensure it does not contain dangerous path traversal sequences
+    # Prevent path traversal
     if ".." in next_path:
         return ""