Safe redirect action

core/src/client/AssayDesigner/AssayDesigner.tsx

@@ -140,8 +140,9 @@ export class App extends React.Component<any, State> {
 
     navigate(defaultUrl: string) {
         this._dirty = false;
-
-        window.location.href = this.state.returnUrl || defaultUrl;
+        const redirectUrl = this.state.returnUrl || defaultUrl;
+        // TODO refactor this and other usages in platform/core/src/client to a helper safeRedirect() function from @labkey/components
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     }
 
     onCancel = (): void => {

core/src/client/DataClassDesigner/DataClassDesigner.tsx

@@ -68,9 +68,8 @@ class DataClassDesignerWrapper extends React.Component<any, State> {
 
     navigate(defaultUrl: string) {
         this._dirty = false;
-
-        const returnUrl = ActionURL.getReturnUrl();
-        window.location.href = returnUrl || defaultUrl;
+        const redirectUrl = ActionURL.getReturnUrl() || defaultUrl;
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     }
 
     onCancel = () => {

core/src/client/DatasetDesigner/DatasetDesigner.tsx

@@ -66,9 +66,8 @@ class DatasetDesigner extends PureComponent<any, State> {
 
     navigate(defaultUrl: string): void {
         this._dirty = false;
-
-        const returnUrl = ActionURL.getReturnUrl();
-        window.location.href = returnUrl || defaultUrl;
+        const redirectUrl = ActionURL.getReturnUrl() || defaultUrl;
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     }
 
     navigateOnComplete(model: DatasetModel): void {

core/src/client/DomainDesigner/DomainDesigner.tsx

@@ -161,9 +161,8 @@ class DomainDesigner extends React.PureComponent<any, Partial<IAppState>> {
 
     navigate = (): void => {
         this._dirty = false;
-
-        const returnUrl = ActionURL.getReturnUrl();
-        window.location.href = returnUrl || ActionURL.buildURL('project', 'begin', getServerContext().container.path);
+        const redirectUrl = ActionURL.getReturnUrl() || ActionURL.buildURL('project', 'begin', getServerContext().container.path);
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     };
 
     renderWarningConfirm() {

core/src/client/IssuesListDesigner/IssuesListDesigner.tsx

@@ -81,9 +81,8 @@ class IssuesListDesigner extends React.Component<{}, State> {
 
     navigate = (defaultUrl: string) => {
         this._dirty = false;
-
-        const returnUrl = ActionURL.getReturnUrl();
-        window.location.href = returnUrl || defaultUrl;
+        const redirectUrl = ActionURL.getReturnUrl() || defaultUrl;
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     };
 
     onComplete = (model: IssuesListDefModel) => {

core/src/client/ListDesigner/ListDesigner.tsx

@@ -104,8 +104,8 @@ export class ListDesigner extends React.Component<Props, State> {
 
     navigate = async (returnUrlProvider: () => Promise<string>, model?: ListModel): Promise<void> => {
         this._dirty = false;
-
-        window.location.href = this.getReturnUrl(model) ?? (await returnUrlProvider());
+        const redirectUrl = this.getReturnUrl(model) ?? (await returnUrlProvider());
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     };
 
     getReturnUrl = (model?: ListModel): string => {

core/src/client/SampleTypeDesigner/SampleTypeDesigner.tsx

@@ -137,9 +137,8 @@ class SampleTypeDesignerWrapper extends React.PureComponent<any, State> {
 
     navigate(defaultUrl: string) {
         this._dirty = false;
-
-        const returnUrl = ActionURL.getReturnUrl();
-        window.location.href = returnUrl || defaultUrl;
+        const redirectUrl = ActionURL.getReturnUrl() || defaultUrl;
+        window.location.href = ActionURL.buildURL('core', 'safeRedirect', undefined, { returnUrl: redirectUrl });
     }
 
     render() {

core/src/org/labkey/core/CoreController.java

@@ -35,7 +35,9 @@
 import org.labkey.api.action.ExportAction;
 import org.labkey.api.action.MutatingApiAction;
 import org.labkey.api.action.ReadOnlyApiAction;
+import org.labkey.api.action.ReturnUrlForm;
 import org.labkey.api.action.SimpleApiJsonForm;
+import org.labkey.api.action.SimpleRedirectAction;
 import org.labkey.api.action.SimpleViewAction;
 import org.labkey.api.action.SpringActionController;
 import org.labkey.api.admin.AbstractFolderContext.ExportType;
@@ -204,10 +206,6 @@
 
 import static org.labkey.api.view.template.WarningService.SESSION_WARNINGS_BANNER_KEY;
 
-/**
- * User: jeckels
- * Date: Jan 4, 2007
- */
 public class CoreController extends SpringActionController
 {
     private static final Map<Container, Content> _customStylesheetCache = new ConcurrentHashMap<>();
@@ -2908,4 +2906,16 @@ public void setProvider(String provider)
 
     }
 
+    // Called by various client components to ensure safe redirects, GitHub Issue #1023. This action redirects to
+    // local URLs only, never to an external site, even if the host is on the "Allowed External Redirect Hosts" list.
+    @SuppressWarnings("unused")
+    @RequiresNoPermission
+    public static class SafeRedirectAction extends SimpleRedirectAction<ReturnUrlForm>
+    {
+        @Override
+        public ActionURL getRedirectURL(ReturnUrlForm form) throws Exception
+        {
+            return form.getReturnActionURL(AppProps.getInstance().getHomePageActionURL());
+        }
+    }
 }