From 20fe1ee71b5703fcc4ed698a959ad224fed19623 Mon Sep 17 00:00:00 2001
From: Ahmad Farhat <ahmad.af.farhat@gmail.com>
Date: Mon, 11 Jul 2022 14:29:35 -0400
Subject: [PATCH] Added additional check when redirecting with return_to
 (#3631)

* Added additional check when redirecting with return_to

* Fixed test
---
 app/controllers/concerns/authenticator.rb    | 4 +++-
 spec/controllers/sessions_controller_spec.rb | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/concerns/authenticator.rb b/app/controllers/concerns/authenticator.rb
index 88e5e3d813..64ad144518 100644
--- a/app/controllers/concerns/authenticator.rb
+++ b/app/controllers/concerns/authenticator.rb
@@ -50,7 +50,9 @@ def check_email_verified(user)
         dont_redirect_to.push(File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback"))
       end
 
-      url = if cookies[:return_to] && !dont_redirect_to.include?(cookies[:return_to])
+      valid_url = cookies[:return_to] && URI.parse(cookies[:return_to]).host == URI.parse(request.original_url).host
+
+      url = if cookies[:return_to] && valid_url && !dont_redirect_to.include?(cookies[:return_to])
         cookies[:return_to]
       elsif user.role.get_permission("can_create_rooms")
         user.main_room
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 366428cd02..ae3e971b11 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -171,7 +171,7 @@
       user = create(:user, provider: "greenlight",
         password: "Example1!", password_confirmation: 'example')
 
-      url = Faker::Internet.domain_name
+      url = "http://test.host/test"
 
       @request.cookies[:return_to] = url