Redirection to external URL

[RaviKumarSingh-Mckinsey]

I had a python application which was redirecting users to other external websites once the authentication was completed. Even after having many checks for the URL , it was unable to stop the redirection , I had to switch to a new library name "Oauth"

So for eg I was having redirection when I have this URL https://localhost:8000/login?next=https%3A%2F%2Fgoogle.com%2F

Google.com was added manually in the URL and it was redirecting to google.com ( phishing attack )

below is the code which I tried to fix the redirection

@app.route('/oidc/callback')
def callback():
state = request.args.get('state')
base_url = request.host_url

logger.debug(f"Callback called with state: {state}")

# Check if state is None or empty
if not state:
    logger.debug("State is None or empty, redirecting to root URL")
    return oidc.redirect_to_auth_server('/')

# Check if state is a relative URL
parsed_url = urlparse(state)
if parsed_url.netloc == '' and state.startswith('/'):
    # Ensure the state is safe to redirect to
    if url_is_safe(state, base_url):
        logger.debug(f"State is a safe relative URL: {state}, redirecting to it")
        return oidc.redirect_to_auth_server(state)
    else:
        logger.debug(f"State is not a safe relative URL: {state}, aborting with 400")
        return abort(400)  # Bad request

# If state is not a relative URL, ignore it and redirect to the root URL
logger.debug(f"State is not a relative URL: {state}, redirecting to root URL")
return oidc.redirect_to_auth_server('/')

[RaviKumarSingh-Mckinsey]

I had to move to another library oAuth since it was not working with OIDC

[abompard]

I agree that the default callback handler should check that the redirected URL is either relative or on the same domain.