Fix code scanning alert no. 19: URL redirection from remote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
TreyWW · Oct 19, 2024 · 2a165e3 · 2a165e3
1 parent a13ffa6
commit 2a165e3
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/backend/core/views/auth/passwords/generate.py b/backend/core/views/auth/passwords/generate.py
@@ -7,6 +7,7 @@
 from django.shortcuts import redirect
 from django.urls import reverse, resolve, NoReverseMatch
 from django.utils import timezone
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from backend.models import User, PasswordSecret
 from backend.core.models import RandomCode
@@ -50,10 +51,13 @@ def set_password_generate(request: HtmxHttpRequest):
         f'Successfully created a code. <a href="{reverse("user set password", args=(CODE,))}">{CODE}</a>',
     )
 
-    try:
-        resolve(NEXT)
-        return redirect(NEXT)
-    except NoReverseMatch:
+    if url_has_allowed_host_and_scheme(NEXT, allowed_hosts=None):
+        try:
+            resolve(NEXT)
+            return redirect(NEXT)
+        except NoReverseMatch:
+            return redirect("dashboard")
+    else:
         return redirect("dashboard")