[PR #5982] fix(common): prevent open redirect in enter page #5442

New issue

Open

opened 2026-03-17 02:53:08 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:53:08 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5982
Author: @jamesgeorge007
Created: 3/13/2026
Status: 🔄 Open

Base: next ← Head: fix/open-redirect-enter-vue

📝 Commits (3)

5b8f70d fix(common): prevent open redirect in enter page
3ee870d test(common): add unit tests for enter page redirect validation
aff808d fix(common): harden redirect validation and align with codebase conventions

📊 Changes

3 files changed (+139 additions, -7 deletions)

View changed files

➕ packages/hoppscotch-common/src/pages/__tests__/enter-redirect.spec.ts (+92 -0)
➕ packages/hoppscotch-common/src/pages/enter-redirect.ts (+24 -0)
📝 packages/hoppscotch-common/src/pages/enter.vue (+23 -7)

📄 Description

Addresses GHSA-27pm-c9ch-746q.

Closes FE-1164.

The redirect query parameter on /enter was passed to new URL() without validation, allowing redirects to arbitrary external domains.

What's changed

Gate the redirect block behind platform.organization and !isDefaultCloudInstance, so deployments without org-subdomain support and the default cloud instance skip this path.
Add isSignInWithEmailLink guard so /enter only redirects during an actual magic-link auth flow, preventing use as a generic redirector.
Reject WHATWG-normalised characters (backslash, tab, newline, carriage-return) before URL parsing to prevent parser bypass vectors.
Reject URLs with userinfo (target.username / target.password) to block phishing-pattern redirects.
Extract redirect validation into a colocated helper (enter-redirect.ts).
Add 18 unit tests covering representative allow/deny and bypass cases.

Notes to reviewers

This preserves the intended cloud org magic-link flow where the user lands on the root domain and is redirected back to the organization subdomain after validation.

Deployments without org-subdomain support, and the default cloud instance, skip this redirect path.

Validate magic link flows for SH and cloud (default instance and org subdomain) to confirm no regression in sign-in behaviour.

Input	Result
`?redirect=example.com`	Blocked
`?redirect=hoppscotch.io@example.com`	Blocked
`?redirect=acme.hoppscotch.io@hoppscotch.io`	Blocked (userinfo)
`?redirect=evil.com%0aacme.hoppscotch.io`	Blocked (control char)
`?redirect=example.com.hoppscotch.io.attacker.com`	Blocked (subdomain-confusion)
`?redirect=acme.hoppscotch.io/enter`	Allowed

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5982 **Author:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Created:** 3/13/2026 **Status:** 🔄 Open **Base:** `next` ← **Head:** `fix/open-redirect-enter-vue` --- ### 📝 Commits (3) - [`5b8f70d`](https://github.com/hoppscotch/hoppscotch/commit/5b8f70da42c2fb5f5836370c56d11a6e8b671250) fix(common): prevent open redirect in enter page - [`3ee870d`](https://github.com/hoppscotch/hoppscotch/commit/3ee870dbb51f0d560e3236909e5d5e05ab653f53) test(common): add unit tests for enter page redirect validation - [`aff808d`](https://github.com/hoppscotch/hoppscotch/commit/aff808dc2d5cb88dfae290731c73bea3f002bcf2) fix(common): harden redirect validation and align with codebase conventions ### 📊 Changes **3 files changed** (+139 additions, -7 deletions) <details> <summary>View changed files</summary> ➕ `packages/hoppscotch-common/src/pages/__tests__/enter-redirect.spec.ts` (+92 -0) ➕ `packages/hoppscotch-common/src/pages/enter-redirect.ts` (+24 -0) 📝 `packages/hoppscotch-common/src/pages/enter.vue` (+23 -7) </details> ### 📄 Description Addresses [GHSA-27pm-c9ch-746q](https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q). Closes FE-1164. The `redirect` query parameter on `/enter` was passed to `new URL()` without validation, allowing redirects to arbitrary external domains. ### What's changed - Gate the redirect block behind `platform.organization` and `!isDefaultCloudInstance`, so deployments without org-subdomain support and the default cloud instance skip this path. - Add `isSignInWithEmailLink` guard so `/enter` only redirects during an actual magic-link auth flow, preventing use as a generic redirector. - Reject WHATWG-normalised characters (backslash, tab, newline, carriage-return) before URL parsing to prevent parser bypass vectors. - Reject URLs with userinfo (`target.username` / `target.password`) to block phishing-pattern redirects. - Extract redirect validation into a colocated helper (`enter-redirect.ts`). - Add 18 unit tests covering representative allow/deny and bypass cases. ### Notes to reviewers This preserves the intended cloud org magic-link flow where the user lands on the root domain and is redirected back to the organization subdomain after validation. Deployments without org-subdomain support, and the default cloud instance, skip this redirect path. Validate magic link flows for SH and cloud (default instance and org subdomain) to confirm no regression in sign-in behaviour. | Input | Result | |---|---| | `?redirect=example.com` | Blocked | | `?redirect=hoppscotch.io@example.com` | Blocked | | `?redirect=acme.hoppscotch.io@hoppscotch.io` | Blocked (userinfo) | | `?redirect=evil.com%0aacme.hoppscotch.io` | Blocked (control char) | | `?redirect=example.com.hoppscotch.io.attacker.com` | Blocked (subdomain-confusion) | | `?redirect=acme.hoppscotch.io/enter` | Allowed | --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>