add clean_next_url method to reduce mitigate url redirection from rem…

…ote source risks
gip-inclusion · Nov 14, 2024 · 542c9b8 · 542c9b8
1 parent 75020d6
commit 542c9b8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/lacommunaute/utils/tests/tests_urls.py b/lacommunaute/utils/tests/tests_urls.py
@@ -3,6 +3,8 @@
 import pytest
 from django.urls import NoReverseMatch, clear_url_caches, reverse
 
+from lacommunaute.utils.urls import clean_next_url
+
 
 @pytest.fixture(autouse=True)
 def _clear_url_caches():
@@ -22,3 +24,10 @@ def test_django_urls_prod(settings):
         reverse("login")
     with pytest.raises(NoReverseMatch):
         reverse("djdt:render_panel")
+
+
+@pytest.mark.parametrize(
+    "url, expected", [(None, "/"), ("http://www.unallowed.com", "/"), ("/", "/"), ("/topics/", "/topics/")]
+)
+def test_clean_next_url(url, expected):
+    assert clean_next_url(url) == expected
diff --git a/lacommunaute/utils/urls.py b/lacommunaute/utils/urls.py
@@ -62,3 +62,9 @@ def get_safe_url(request, param_name=None, fallback_url=None, url=None):
                 return url
 
     return fallback_url
+
+
+def clean_next_url(url):
+    if not url_has_allowed_host_and_scheme(url, allowed_hosts=settings.ALLOWED_HOSTS):
+        return "/"
+    return url