Skip to content

Commit

Permalink
Fix code scanning alert no. 235: URL redirection from remote source
Browse files Browse the repository at this point in the history 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
  • Loading branch information
@KrzysztofPajak @github-advanced-security
KrzysztofPajak and github-advanced-security[bot] authored Oct 3, 2024
1 parent 945fdf8 commit ef1a1a2
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/Web/Grand.Web/Controllers/CommonController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,8 @@ public virtual async Task<IActionResult> SetStoreTheme(
[FromServices] StoreInformationSettings storeInformationSettings,
[FromServices] IThemeContextFactory themeContextFactory, string themeName, string returnUrl = "")
{
if (!storeInformationSettings.AllowCustomerToSelectTheme) return Redirect(returnUrl);
var validUrls = new List<string> { Url.RouteUrl("HomePage"), Url.RouteUrl("AnotherPage") }; // Add other valid URLs here
if (!storeInformationSettings.AllowCustomerToSelectTheme) return Redirect(validUrls.Contains(returnUrl) ? returnUrl : Url.RouteUrl("HomePage"));

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection due to
user-provided value
Loading
.

var themeContext = themeContextFactory.GetThemeContext("");
if (themeContext != null) await themeContext.SetTheme(themeName);
Expand All @@ -325,7 +326,7 @@ public virtual async Task<IActionResult> SetStoreTheme(
await _mediator.Publish(new ChangeThemeEvent(_workContext.CurrentCustomer, themeName));

//home page
if (string.IsNullOrEmpty(returnUrl))
if (string.IsNullOrEmpty(returnUrl) || !validUrls.Contains(returnUrl))
returnUrl = Url.RouteUrl("HomePage");

//prevent open redirection attack
Expand Down

0 comments on commit ef1a1a2

Please sign in to comment.