hub: make redirecting in krb5login safer

Originally, the krb5login page would allow redirects to any URLs, e.g.
to Google using http://$HOSTNAME/auth/krb5login/?next=//www.google.com.

This commit implements similar sanitization of REDIRECT_FIELD_NAME like Django
does in its LoginView.

Related: https://github.com/django/django/blob/8fcb9f1f106cf60d953d88aeaa412cc625c60029/django/contrib/auth/views.py#L43C18-L43C18

Author: lzaoral

kobo/admin/templates/hub/settings.py.template

@@ -84,6 +84,10 @@ SECRET_KEY = ''
 # Ensure db transactions
 ATOMIC_REQUESTS = True
 
+# Default redirects for unsafe login redirections
+LOGIN_REDIRECT_URL = 'home/index'
+LOGOUT_REDIRECT_URL = 'home/index'
+
 # List of callables that know how to import templates from various sources.
 TEMPLATE_LOADERS = (
     ('django.template.loaders.cached.Loader', (

kobo/hub/views.py

@@ -11,6 +11,12 @@
 from django.urls import reverse
 from django.views.generic import RedirectView
 
+from kobo.django.django_version import django_version_ge
+if django_version_ge('3.2.0'):
+    from django.utils.http import url_has_allowed_host_and_scheme
+else:
+    from django.utils.http import is_safe_url as url_has_allowed_host_and_scheme
+
 from kobo.hub.models import Arch, Channel, Task
 from kobo.hub.forms import TaskSearchForm
 from kobo.django.views.generic import ExtraDetailView, SearchView, UsersAclMixin
@@ -241,11 +247,16 @@ def krb5login(request, redirect_field_name=REDIRECT_FIELD_NAME):
     middleware = 'kobo.django.auth.middleware.LimitedRemoteUserMiddleware'
     if middleware not in settings.MIDDLEWARE:
         raise ImproperlyConfigured("krb5login view requires '%s' middleware installed" % middleware)
-    redirect_to = request.POST.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = request.GET.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = reverse("home/index")
+
+    redirect_to = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name))
+    url_is_safe = url_has_allowed_host_and_scheme(
+            url=redirect_to,
+            allowed_hosts=request.get_host(),
+            require_https=request.is_secure(),
+    )
+    if not url_is_safe:
+        redirect_to = reverse(settings.LOGIN_REDIRECT_URL)
+
     return RedirectView.as_view(url=redirect_to, permanent=True)(request)
 
 def oidclogin(request):

tests/settings.py

@@ -20,6 +20,10 @@
 UPLOAD_DIR = UPLOAD_DIR_OBJ.name
 WORKER_DIR = WORKER_DIR_OBJ.name
 
+# Default redirects for unsafe login redirections
+LOGIN_REDIRECT_URL = 'home/index'
+LOGOUT_REDIRECT_URL = 'home/index'
+
 # The middleware and apps below are the bare minimum required
 # to let kobo.hub load successfully
 

tests/test_views.py

@@ -58,7 +58,7 @@ def test_krb5login_redirect_to(self):
 
     def test_logout(self):
         response = self.client.get('/auth/logout/')
-        self.assertEqual(response.status_code, 200)
+        self.assertIn(response.status_code, [200, 302])
         self.client.post('/auth/login/', self.credentials)
         self.client.logout()
         self.assertFalse(self.client.session.get("_auth_user_id"))