From c951d8ea95cd541df60ac53ed45f8dc8e4b32b5f Mon Sep 17 00:00:00 2001
From: vamsikrishnamathala <matalav55@gmail.com>
Date: Wed, 17 Sep 2025 17:33:07 +0530
Subject: [PATCH 1/3] fix: next path url redirection

---
 apps/space/app/page.tsx   | 25 +++++++++++++++++++++++--
 packages/utils/src/url.ts | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/apps/space/app/page.tsx b/apps/space/app/page.tsx
index a75275e0d59..f544bcb103e 100644
--- a/apps/space/app/page.tsx
+++ b/apps/space/app/page.tsx
@@ -1,6 +1,9 @@
 "use client";
-
+import { useEffect } from "react";
 import { observer } from "mobx-react";
+import { useSearchParams, useRouter } from "next/navigation";
+// plane imports
+import { isValidNextPath } from "@plane/utils";
 // components
 import { UserLoggedIn } from "@/components/account/user-logged-in";
 import { LogoSpinner } from "@/components/common/logo-spinner";
@@ -10,6 +13,15 @@ import { useUser } from "@/hooks/store/use-user";
 
 const HomePage = observer(() => {
   const { data: currentUser, isAuthenticated, isInitializing } = useUser();
+  const searchParams = useSearchParams();
+  const router = useRouter();
+  const nextPath = searchParams.get("next_path");
+
+  useEffect(() => {
+    if (currentUser && isAuthenticated && nextPath && isValidNextPath(nextPath)) {
+      router.replace(nextPath);
+    }
+  }, [currentUser, isAuthenticated, nextPath, router]);
 
   if (isInitializing)
     return (
@@ -18,7 +30,16 @@ const HomePage = observer(() => {
       </div>
     );
 
-  if (currentUser && isAuthenticated) return <UserLoggedIn />;
+  if (currentUser && isAuthenticated) {
+    if (nextPath && isValidNextPath(nextPath)) {
+      return (
+        <div className="flex h-screen min-h-[500px] w-full justify-center items-center">
+          <LogoSpinner />
+        </div>
+      );
+    }
+    return <UserLoggedIn />;
+  }
 
   return <AuthView />;
 });
diff --git a/packages/utils/src/url.ts b/packages/utils/src/url.ts
index 638839bb06c..2de0e778b89 100644
--- a/packages/utils/src/url.ts
+++ b/packages/utils/src/url.ts
@@ -257,3 +257,40 @@ export function extractURLComponents(url: URL | string): IURLComponents | undefi
     return undefined;
   }
 }
+
+/**
+ * Validates that a next_path parameter is safe for redirection.
+ * Only allows relative paths starting with "/" to prevent open redirect vulnerabilities.
+ *
+ * @param url - The next_path URL to validate
+ * @returns True if the URL is a safe relative path, false otherwise
+ *
+ * @example
+ * isValidNextPath("/dashboard") // true
+ * isValidNextPath("/workspace/123") // true
+ * isValidNextPath("https://malicious.com") // false
+ * isValidNextPath("javascript:alert(1)") // false
+ * isValidNextPath("") // false
+ * isValidNextPath("dashboard") // false (must start with /)
+ */
+export function isValidNextPath(url: string): boolean {
+  if (!url || typeof url !== "string") return false;
+
+  // Only allow relative paths starting with /
+  if (!url.startsWith("/")) return false;
+
+  // Disallow external URLs (http, https, ftp) for security
+  const disallowedSchemes = /^(https?|ftp):\/\//i;
+  if (disallowedSchemes.test(url)) return false;
+
+  // Additional security checks for malicious patterns
+  const maliciousPatterns = [
+    /javascript:/i,
+    /data:/i,
+    /vbscript:/i,
+    /<script/i,
+    /on\w+=/i, // Event handlers like onclick=, onload=
+  ];
+
+  return !maliciousPatterns.some((pattern) => pattern.test(url));
+}
\ No newline at end of file

From 7b6024778d98b23ea79019bc011f6b953b4c13dc Mon Sep 17 00:00:00 2001
From: pablohashescobar <nikhilschacko@gmail.com>
Date: Wed, 17 Sep 2025 17:47:54 +0530
Subject: [PATCH 2/3] fix: enhance URL redirection safety in authentication
 views

Updated SignInAuthSpaceEndpoint, GitHubCallbackSpaceEndpoint, GitLabCallbackSpaceEndpoint, and GoogleCallbackSpaceEndpoint to include checks for allowed hosts and schemes before redirecting. This improves the security of URL redirection by ensuring only valid URLs are used.
---
 .../plane/authentication/views/space/email.py    | 16 ++++++++--------
 .../plane/authentication/views/space/github.py   |  8 ++++++--
 .../plane/authentication/views/space/gitlab.py   |  8 ++++++--
 .../plane/authentication/views/space/google.py   |  8 ++++++--
 4 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/apps/api/plane/authentication/views/space/email.py b/apps/api/plane/authentication/views/space/email.py
index 2fb1c2c5ea4..7e29242d29c 100644
--- a/apps/api/plane/authentication/views/space/email.py
+++ b/apps/api/plane/authentication/views/space/email.py
@@ -15,7 +15,7 @@
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class SignInAuthSpaceEndpoint(View):
@@ -100,13 +100,13 @@ def post(self, request):
             user = provider.authenticate()
             # Login the user and record his device info
             user_login(request=request, user=user, is_space=True)
-            # redirect to next path
-            url = get_safe_redirect_url(
-                base_url=base_host(request=request, is_space=True),
-                next_path=next_path,
-                params={}
-            )
-            return HttpResponseRedirect(url)
+            # redirect to referer path
+            next_path = validate_next_path(next_path=next_path)
+            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(
diff --git a/apps/api/plane/authentication/views/space/github.py b/apps/api/plane/authentication/views/space/github.py
index dd148b8c10a..bf9ea90423c 100644
--- a/apps/api/plane/authentication/views/space/github.py
+++ b/apps/api/plane/authentication/views/space/github.py
@@ -4,6 +4,7 @@
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.github import GitHubOAuthProvider
@@ -14,7 +15,7 @@
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class GitHubOauthInitiateSpaceEndpoint(View):
@@ -95,7 +96,10 @@ def get(self, request):
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
             url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(
diff --git a/apps/api/plane/authentication/views/space/gitlab.py b/apps/api/plane/authentication/views/space/gitlab.py
index 77a10a91470..632be056f1b 100644
--- a/apps/api/plane/authentication/views/space/gitlab.py
+++ b/apps/api/plane/authentication/views/space/gitlab.py
@@ -4,6 +4,7 @@
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.gitlab import GitLabOAuthProvider
@@ -14,7 +15,7 @@
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class GitLabOauthInitiateSpaceEndpoint(View):
@@ -96,7 +97,10 @@ def get(self, request):
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
             url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(
diff --git a/apps/api/plane/authentication/views/space/google.py b/apps/api/plane/authentication/views/space/google.py
index d8fef9da453..b42f07a7df2 100644
--- a/apps/api/plane/authentication/views/space/google.py
+++ b/apps/api/plane/authentication/views/space/google.py
@@ -4,6 +4,7 @@
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.google import GoogleOAuthProvider
@@ -14,7 +15,7 @@
     AuthenticationException,
     AUTHENTICATION_ERROR_CODES,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class GoogleOauthInitiateSpaceEndpoint(View):
@@ -92,7 +93,10 @@ def get(self, request):
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
             url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(

From 581baf2d9c227df06810e3f8182d3fed6831ff23 Mon Sep 17 00:00:00 2001
From: vamsikrishnamathala <matalav55@gmail.com>
Date: Wed, 17 Sep 2025 18:19:05 +0530
Subject: [PATCH 3/3] chore: updated uitl to handle double /

---
 packages/utils/src/url.ts | 76 ++++++++++++++++++++++-----------------
 1 file changed, 43 insertions(+), 33 deletions(-)

diff --git a/packages/utils/src/url.ts b/packages/utils/src/url.ts
index 2de0e778b89..738d935d5c8 100644
--- a/packages/utils/src/url.ts
+++ b/packages/utils/src/url.ts
@@ -114,22 +114,6 @@ export function extractHostname(url: string): string {
  *    - Removes hash fragments (everything after '#')
  *    - Removes port numbers (everything after ':')
  * 3. Validates the TLD against a list of known TLDs
- *
- * @example
- * // Valid cases (returns the TLD)
- * extractTLD('example.com')                    // returns 'com'
- * extractTLD('sub.example.com')                // returns 'com'
- * extractTLD('example.com/path')               // returns 'com'
- * extractTLD('example.com:8080')               // returns 'com'
- * extractTLD('example.com?query=1')            // returns 'com'
- * extractTLD('example.com#hash')               // returns 'com'
- *
- * // Invalid cases (returns empty string)
- * extractTLD('')                               // returns ''
- * extractTLD('.example.com')                   // returns ''
- * extractTLD('example.com.')                   // returns ''
- * extractTLD('example.invalid')                // returns ''
- * extractTLD('localhost')                      // returns ''
  */
 
 export function extractTLD(urlString: string): string {
@@ -269,28 +253,54 @@ export function extractURLComponents(url: URL | string): IURLComponents | undefi
  * isValidNextPath("/dashboard") // true
  * isValidNextPath("/workspace/123") // true
  * isValidNextPath("https://malicious.com") // false
+ * isValidNextPath("//malicious.com") // false (protocol-relative)
  * isValidNextPath("javascript:alert(1)") // false
  * isValidNextPath("") // false
  * isValidNextPath("dashboard") // false (must start with /)
+ * isValidNextPath("\\malicious") // false (backslash)
+ * isValidNextPath("  /dashboard  ") // true (trimmed)
  */
 export function isValidNextPath(url: string): boolean {
   if (!url || typeof url !== "string") return false;
 
+  // Trim leading/trailing whitespace
+  const trimmedUrl = url.trim();
+
+  if (!trimmedUrl) return false;
+
   // Only allow relative paths starting with /
-  if (!url.startsWith("/")) return false;
-
-  // Disallow external URLs (http, https, ftp) for security
-  const disallowedSchemes = /^(https?|ftp):\/\//i;
-  if (disallowedSchemes.test(url)) return false;
-
-  // Additional security checks for malicious patterns
-  const maliciousPatterns = [
-    /javascript:/i,
-    /data:/i,
-    /vbscript:/i,
-    /<script/i,
-    /on\w+=/i, // Event handlers like onclick=, onload=
-  ];
-
-  return !maliciousPatterns.some((pattern) => pattern.test(url));
-}
\ No newline at end of file
+  if (!trimmedUrl.startsWith("/")) return false;
+
+  // Block protocol-relative URLs (//example.com) - open redirect vulnerability
+  if (trimmedUrl.startsWith("//")) return false;
+
+  // Block backslashes which can be used for path traversal or Windows-style paths
+  if (trimmedUrl.includes("\\")) return false;
+
+  try {
+    // Use URL constructor with a dummy base to normalize and validate the path
+    const normalizedUrl = new URL(trimmedUrl, "http://localhost");
+
+    // Ensure the path is still relative (no host change from our dummy base)
+    if (normalizedUrl.hostname !== "localhost" || normalizedUrl.protocol !== "http:") {
+      return false;
+    }
+
+    // Use the normalized pathname for additional security checks
+    const pathname = normalizedUrl.pathname;
+
+    // Additional security checks for malicious patterns in the normalized path
+    const maliciousPatterns = [
+      /javascript:/i,
+      /data:/i,
+      /vbscript:/i,
+      /<script/i,
+      /on\w+=/i, // Event handlers like onclick=, onload=
+    ];
+
+    return !maliciousPatterns.some((pattern) => pattern.test(pathname));
+  } catch (error) {
+    // If URL constructor fails, it's an invalid path
+    return false;
+  }
+}