ISS 983 Allow for side redirects with new configuration

CHANGES.rst

@@ -12,6 +12,8 @@ Features & Improvements
 +++++++++++++++++++++++
 - (:issue:`956`) Add support for changing registered user's email (:py:data:`SECURITY_CHANGE_EMAIL`).
 - (:pr:`xxx`) Change default password hash to argon2 (was bcrypt). See below for details.
+- (:issue:`983`) Add new configuration for (:py:data:`SECURITY_REDIRECT_MATCH_SUBDOMAINS`) to allow for
+  stricter redirect matching.
 
 Fixes
 +++++

docs/configuration.rst

@@ -320,6 +320,26 @@ These configuration keys are used globally across all features.
 
     .. versionadded:: 4.0.0
 
+.. py:data:: SECURITY_REDIRECT_MATCH_SUBDOMAINS
+
+    This attribute specifies a list of permitted subdomains that can be the
+    target of redirections. Only the subdomains included in this list will be
+    authorized to receive redirects.
+
+    For enhanced security, configuring this setting will override the default
+    setting that permits all subdomains of SERVER_NAME. This is based on the
+    assumption that you desire to have precise control over the host names that
+    are permitted. It is essential that you provide a comprehensive list of all
+    the subdomains you intend to allow access to.
+
+    This setting requires that :py:data:`SECURITY_REDIRECT_ALLOW_SUBDOMAINS` is set to ``True``.
+
+    Examples: ``['auth.example.com']`` will only allow the auth.example.com subdomain to be redirected to.
+
+    Default: ``[]``.
+
+    .. versionadded:: 5.4.X
+
 .. py:data:: SECURITY_CSRF_PROTECT_MECHANISMS
 
     Authentication mechanisms that require CSRF protection.

flask_security/core.py

@@ -200,6 +200,7 @@
     "REDIRECT_HOST": None,
     "REDIRECT_BEHAVIOR": None,
     "REDIRECT_ALLOW_SUBDOMAINS": False,
+    "REDIRECT_MATCH_SUBDOMAINS": [],
     "FORGOT_PASSWORD_TEMPLATE": "security/forgot_password.html",
     "LOGIN_USER_TEMPLATE": "security/login_user.html",
     "REGISTER_USER_TEMPLATE": "security/register_user.html",

flask_security/utils.py

@@ -19,7 +19,7 @@
 import hmac
 import time
 import typing as t
-from urllib.parse import parse_qsl, quote, urlsplit, urlunsplit, urlencode
+from urllib.parse import parse_qsl, quote, urlsplit, urlunsplit, urlencode, urlparse
 import urllib.request
 import urllib.error
 import warnings
@@ -614,22 +614,61 @@ def validate_redirect_url(url: str) -> bool:
         return False
     url_next = urlsplit(url)
     url_base = urlsplit(request.host_url)
+
     if (url_next.netloc or url_next.scheme) and url_next.netloc != url_base.netloc:
         base_domain = current_app.config.get("SERVER_NAME")
-        if (
-            config_value("REDIRECT_ALLOW_SUBDOMAINS")
-            and base_domain
-            and (
-                url_next.netloc == base_domain
-                or url_next.netloc.endswith(f".{base_domain}")
-            )
-        ):
-            return True
+
+        # Some Flask implementations may not have SERVER_NAME set
+        if not base_domain:
+            base_domain = request.host
+        tld = get_top_level_domain(base_domain)
+
+        # Are we allowed to redirect to other hosts outside of ourself?
+        if config_value("REDIRECT_ALLOW_SUBDOMAINS"):
+            # Capture any allowed subdomains
+            allowed_subdomains = []
+
+            if config_value("REDIRECT_MATCH_SUBDOMAINS"):
+                allowed_subdomains = config_value("REDIRECT_MATCH_SUBDOMAINS")
+
+            # If we have a list of allowed subdomains, check if the next
+            # URL is in the list
+            if (
+                len(allowed_subdomains) > 0
+                and url_next.netloc in allowed_subdomains
+                and url_next.netloc.endswith(f".{tld}")
+            ):
+                return True
+            elif (
+                len(allowed_subdomains) == 0
+                and base_domain
+                and (
+                    url_next.netloc == base_domain
+                    or url_next.netloc.endswith(f".{base_domain}")
+                )
+            ):
+                # If we don't have a list of allowed subdomains, check if the
+                # next URL is the same as the base domain or a subdomain of the
+                # base domain. This is the original behavior.
+                return True
+            else:
+                return False
         else:
             return False
+
     return True
 
 
+def get_top_level_domain(url):
+    # Extract the hostname from the URL if it's not already a hostname
+    hostname = urlparse(url).hostname or url
+    # Split the hostname into parts
+    hostname_parts = hostname.split(".")
+    # The TLD is the last part
+    tld = hostname_parts[-1] if len(hostname_parts) > 1 else ""
+    return tld
+
+
 def get_post_action_redirect(
     config_key: str, next_loc: FlaskForm | MultiDict | dict | None
 ) -> str:

tests/test_basic.py

@@ -171,13 +171,54 @@ def test_authenticate_with_invalid_subdomain_next(app, client, get_message):
     assert get_message("INVALID_REDIRECT") in response.data
 
 
+def test_authenticate_with_subdomain_match_next_strict(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ["sub.lp.com"]
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert response.status_code == 302
+
+
+def test_authenticate_with_subdomain_match_next_strict_invalid(
+    app, client, get_message
+):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ["foo.lp.com"]
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert get_message("INVALID_REDIRECT") in response.data
+
+
 def test_authenticate_with_subdomain_next_default_config(app, client, get_message):
     app.config["SERVER_NAME"] = "lp.com"
     data = dict(email="[email protected]", password="password")
     response = client.post("/login?next=http://sub.lp.com", data=data)
     assert get_message("INVALID_REDIRECT") in response.data
 
 
+def test_authenticate_with_subdomain_next_invalid_domain(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = [
+        "github.com",
+        "something.github.com",
+    ]
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.net", data=data)
+    assert get_message("INVALID_REDIRECT") in response.data
+
+
+def test_authenticate_with_subdomain_next_app_context(app, client, get_message):
+    app.config["SERVER_NAME"] = "application.lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ["sub.lp.com"]
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert response.status_code == 302
+
+
 def test_authenticate_case_insensitive_email(app, client):
     response = authenticate(client, "[email protected]", follow_redirects=True)
     assert b"Welcome [email protected]" in response.data