Skip to content

Fix open redirect vulnerabilities in redirect parameter handling #2963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: 4.1
Choose a base branch
from
Draft

Fix open redirect vulnerabilities in redirect parameter handling #2963

Copilot wants to merge 4 commits into from

Conversation

Copy link

Copilot AI commented Jan 29, 2026
edited
Loading

Summary

This PR fixes open redirect vulnerabilities in several controllers by validating the _redirect parameter before using it for redirects.

Changes Made

  • Create RedirectUrlValidationTrait in ResourceBundle/Controller to provide reusable redirect URL validation
  • Update FrontendController to use the trait
  • Update StorageListController to use the trait
  • Apply validation to all _redirect parameter usage in:
    • RegisterController::registerAction
    • CustomerController::addressAction
    • CartController::addItemAction
    • StorageListController::addItemAction

Security Measures

The validateRedirectUrl method ensures that redirect URLs are safe by:

  1. Allowing safe relative URLs - Paths starting with / (but not //) are allowed
  2. Rejecting protocol-relative URLs - Blocks //evil.com style URLs
  3. Validating absolute URLs - Only allows same-host URLs with http or https schemes
  4. Blocking dangerous schemes - Rejects javascript:, data:, vbscript:, file:, etc.
  5. Preventing URL manipulation - Blocks URLs with @ characters
  6. Sanitizing relative URLs - Rejects relative URLs containing backslashes or control characters
Original prompt

This section details on the original issue you should resolve

<issue_title>Open Redirects</issue_title>
<issue_description>Problem Statement
Several controllers do not validate redirect targets.

Description

  • The _redirect parameter can be set arbitrarily.
  • So far, no redirects have been identified that exfiltrate sensitive data.

Impact

  • Currently no proven exploitation.
  • Potential security risk in case of future changes or extensions.

Mitigation

  • Enforce an allowlist for redirect targets.
  • Require relative URLs only.

@raphael-kat @papillo-solutions</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 29, 2026 11:56
@dpfaffenbauer
Fix open redirect vulnerabilities by validating _redirect parameter
94a7985 
Co-authored-by: dpfaffenbauer <5981845+dpfaffenbauer@users.noreply.github.com>
@dpfaffenbauer
Improve validateRedirectUrl to reject dangerous schemes and special c…
e314dd5 
…haracters

Co-authored-by: dpfaffenbauer <5981845+dpfaffenbauer@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix open redirects in controller validation Fix open redirect vulnerabilities in redirect parameter handling Jan 29, 2026
Copilot AI requested a review from dpfaffenbauer January 29, 2026 12:01
dpfaffenbauer
dpfaffenbauer reviewed Jan 29, 2026
View reviewed changes
src/CoreShop/Bundle/FrontendBundle/Controller/FrontendController.php Outdated
*
* @return string The validated URL or the default if invalid
*/
protected function validateRedirectUrl(Request $request, string $url, string $default): string
Copy link
Member

@dpfaffenbauer dpfaffenbauer Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot feels a bit weird that symfony doesn't provide anything like this?

Copy link
Member

@dpfaffenbauer dpfaffenbauer Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot and you also duplicated it

Copy link
Author

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Symfony's HttpUtils class handles authentication-related redirects internally but doesn't expose a public method for general open redirect validation. The Security component's TargetPathTrait stores/retrieves redirect paths but doesn't validate them.

For arbitrary redirect parameters like _redirect, there's no built-in Symfony utility - custom validation is the standard approach. OWASP and Symfony security best practices recommend validating that redirects are either relative paths or same-origin URLs, which is what this implementation does.

Copy link
Author

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracted the method into RedirectUrlValidationTrait in ResourceBundle/Controller. Both FrontendController and StorageListController now use this trait. (30441bd)

Copy link
Author

Copilot AI commented Jan 29, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • symfony.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from dpfaffenbauer January 29, 2026 19:26
@dpfaffenbauer
Copy link
Member

dpfaffenbauer commented Jan 29, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

@copilot try again

@dpfaffenbauer
Extract validateRedirectUrl into RedirectUrlValidationTrait to avoid …
30441bd 
…duplication

Co-authored-by: dpfaffenbauer <5981845+dpfaffenbauer@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 29, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dpfaffenbauer dpfaffenbauer Awaiting requested review from dpfaffenbauer

Assignees

@dpfaffenbauer dpfaffenbauer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dpfaffenbauer