ISS 983 Allow for side redirects with new configuration

CHANGES.rst

@@ -12,6 +12,8 @@ Features & Improvements
 +++++++++++++++++++++++
 - (:issue:`956`) Add support for changing registered user's email (:py:data:`SECURITY_CHANGE_EMAIL`).
 - (:pr:`xxx`) Change default password hash to argon2 (was bcrypt). See below for details.
+- (:issue:`983`) Add new configuration for (:py:data:`SECURITY_REDIRECT_MATCH_SUBDOMAINS`) to allow for
+  more flexible redirect matching.
 
 Fixes
 +++++

docs/configuration.rst

@@ -320,6 +320,29 @@ These configuration keys are used globally across all features.
 
     .. versionadded:: 4.0.0
 
+.. py:data:: SECURITY_REDIRECT_MATCH_SUBDOMAINS
+
+    Define which subdomains are allowed to be redirected to. This is a list of strings
+    that are matched against the subdomain of the redirect target. If the subdomain
+    matches, the redirect is allowed. If the subdomain is not in the list, the redirect
+    is not allowed. This is useful when you have multiple subdomains and you want to
+    restrict the redirect to a specific set of subdomains.
+
+    For security reasons, if this setting is configured then the default behavior of
+    allowing all subdomains of SERVER_NAME is disabled. This setting assumes that you
+    wish to have **explicit** control over your allowed subdomains. If you do not wish this 
+    behavior, then also include an entry that matches your SERVER_NAME variable. I.E. 
+    if SERVER_NAME is 'example.com' then include '.example.com' in the list.
+
+    This setting requires that :py:data:`SECURITY_REDIRECT_ALLOW_SUBDOMAINS` is set to ``True``.
+
+    Examples: ``['.example.com']`` will allow all subdomains of example.com to be redirected to.
+    ``['auth.example.com']`` will only allow the auth.example.com subdomain to be redirected to.
+
+    Default: ``[]``.
+
+    .. versionadded:: 5.4.X
+
 .. py:data:: SECURITY_CSRF_PROTECT_MECHANISMS
 
     Authentication mechanisms that require CSRF protection.

flask_security/core.py

@@ -200,6 +200,7 @@
     "REDIRECT_HOST": None,
     "REDIRECT_BEHAVIOR": None,
     "REDIRECT_ALLOW_SUBDOMAINS": False,
+    "REDIRECT_MATCH_SUBDOMAINS": [],
     "FORGOT_PASSWORD_TEMPLATE": "security/forgot_password.html",
     "LOGIN_USER_TEMPLATE": "security/login_user.html",
     "REGISTER_USER_TEMPLATE": "security/register_user.html",

flask_security/utils.py

@@ -616,17 +616,59 @@ def validate_redirect_url(url: str) -> bool:
     url_base = urlsplit(request.host_url)
     if (url_next.netloc or url_next.scheme) and url_next.netloc != url_base.netloc:
         base_domain = current_app.config.get("SERVER_NAME")
-        if (
-            config_value("REDIRECT_ALLOW_SUBDOMAINS")
-            and base_domain
-            and (
-                url_next.netloc == base_domain
-                or url_next.netloc.endswith(f".{base_domain}")
-            )
-        ):
-            return True
-        else:
-            return False
+
+        # Are we allowed to redirect to other hosts outside of ourself?
+
+        if (config_value("REDIRECT_ALLOW_SUBDOMAINS")):
+            if (config_value("REDIRECT_MATCH_SUBDOMAINS")):
+
+                # This is a list of allowed sub domains, there are two
+                # possible ways to match the subdomain:
+                # 1. The subdomain is in the list of allowed subdomains (strict)
+                # 2. The subdomain starts with a . and the netloc ends with this (loose)
+
+                allowed_subdomains = config_value("REDIRECT_ALLOWED_SUBDOMAINS")
+
+                # Safety check - do we have a list of allowed subdomains?
+
+                if (len(allowed_subdomains) > 0):
+
+                    # First, let's check if we have a direct match to the list.
+
+                    if (url_next.netloc in allowed_subdomains):
+                        return True
+
+                    # Now, let's check for subdomains that start with a dot.
+
+                    else:
+                        for subdomain in allowed_subdomains:
+
+                            # We found a subdomain that starts with a dot.
+                            # Let's check if the netloc ends with this subdomain.
+
+                            if (subdomain.startswith(".") and
+                                    url_next.netloc.endswith(subdomain)):
+
+                                # Gotcha! We found a match.
+
+                                return True
+
+                        # Default to False if we didn't find a match.
+
+                    return False
+
+            # Fall through to the original check if we don't have a list of allowed subdomains.
+
+            if (
+                base_domain
+                and (
+                    url_next.netloc == base_domain
+                    or url_next.netloc.endswith(f".{base_domain}")
+                )
+            ):
+                return True
+            else:
+                return False
     return True
 
 

tests/test_basic.py

@@ -171,6 +171,42 @@ def test_authenticate_with_invalid_subdomain_next(app, client, get_message):
     assert get_message("INVALID_REDIRECT") in response.data
 
 
+def test_authenticate_with_subdomain_fuzzy_match_next(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ['.lp.com']
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert response.status_code == 302
+
+
+def test_authenticate_with_subdomain_fuzzy_match_next_invalid(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ['foo.lp.com']
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.net", data=data)
+    assert get_message("INVALID_REDIRECT") in response.data
+
+
+def test_authenticate_with_subdomain_fuzzy_match_next_strict(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ['sub.lp.com']
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert response.status_code == 302
+
+
+def test_authenticate_with_subdomain_fuzzy_match_next_strict_invalid(app, client, get_message):
+    app.config["SERVER_NAME"] = "lp.com"
+    app.config["SECURITY_REDIRECT_ALLOW_SUBDOMAINS"] = True
+    app.config["SECURITY_REDIRECT_MATCH_SUBDOMAINS"] = ['foo.lp.com']
+    data = dict(email="[email protected]", password="password")
+    response = client.post("/login?next=http://sub.lp.com", data=data)
+    assert get_message("INVALID_REDIRECT") in response.data
+
+
 def test_authenticate_with_subdomain_next_default_config(app, client, get_message):
     app.config["SERVER_NAME"] = "lp.com"
     data = dict(email="[email protected]", password="password")