fix: disallow cross origin/non http protocols for continueUrl on login (#28706)

* fix: disallow cross origin/non http protocols for continueUrl on login * chore: use Route helper * fix: also use Route.continue in pin code prompt * fix: typecheck
2026-06-01 12:38:26 -05:00 · 2026-06-01 12:38:26 -05:00 · 4eb100327e
parent 69b1946484
commit 4eb100327e
3 changed files with 12 additions and 2 deletions
--- a/web/src/lib/route.ts
+++ b/web/src/lib/route.ts
@ -152,4 +152,13 @@ export const Route = {
  // queues
  queues: () => '/admin/queues',
  viewQueue: ({ name }: { name: QueueName }) => `/admin/queues/${asQueueSlug(name)}`,
+
+  // continue helper for ensuring same-origin URLs
+  continue: (url: string | null, fallback: string) => {
+    if (!url || !url.startsWith('/') || url.startsWith('//')) {
+      return fallback;
+    }
+
+    return url;
+  },
 };
--- a/web/src/routes/auth/login/+page.ts
+++ b/web/src/routes/auth/login/+page.ts
@ -8,7 +8,8 @@ import type { PageLoad } from './$types';
 export const load = (async ({ parent, url }) => {
  await parent();

-  const continueUrl = url.searchParams.get('continue') || Route.photos();
+  const continueUrl = Route.continue(url.searchParams.get('continue'), Route.photos());
+
  if (authManager.authenticated) {
    redirect(307, continueUrl);
  }
--- a/web/src/routes/auth/pin-prompt/+page.svelte
+++ b/web/src/routes/auth/pin-prompt/+page.svelte
@ -30,7 +30,7 @@

      await new Promise((resolve) => setTimeout(resolve, 1000));

-      await goto(data.continueUrl);
+      await goto(Route.continue(data.continueUrl, Route.photos()));
    } catch (error) {
      handleError(error, $t('wrong_pin_code'));
      isBadPinCode = true;