fix(web): prevent XSS via OAuth redirect URL validation

- Add validateOAuthRedirectUrl() utility to block dangerous protocols
  (javascript:, data:, vbscript:) while allowing safe ones (http:,
  https:, custom app protocols like cursor://, vscode://, claude://)
- Validate redirect URLs in consentScreen.tsx before window.location.href
  navigation for both approve and deny flows
- Remove error message interpolation in toast descriptions to prevent
  XSS via exception text (now uses static error messages)
- Validate redirect URL in oauth/complete/page.tsx before navigation
- Add comprehensive unit tests for the new validation function

Fixes CodeQL alert #33: js/xss-through-exception

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>

Author: cursoragent

packages/web/src/app/oauth/authorize/components/consentScreen.tsx

@@ -2,7 +2,7 @@
 
 import { approveAuthorization, denyAuthorization } from '@/ee/features/oauth/actions';
 import { LoadingButton } from '@/components/ui/loading-button';
-import { isServiceError } from '@/lib/utils';
+import { isServiceError, validateOAuthRedirectUrl } from '@/lib/utils';
 import { ClientIcon } from './clientIcon';
 import Image from 'next/image';
 import logo from '@/public/logo_512.png';
@@ -44,16 +44,24 @@ export function ConsentScreen({
         setPending('approve');
         const result = await approveAuthorization({ clientId, redirectUri, codeChallenge, resource, state });
         if (!isServiceError(result)) {
-            toast({
-                description: `✅ Authorization approved successfully. Redirecting...`,
-            });
-            window.location.href = result;
+            const validatedUrl = validateOAuthRedirectUrl(result);
+            if (validatedUrl) {
+                toast({
+                    description: `✅ Authorization approved successfully. Redirecting...`,
+                });
+                window.location.href = validatedUrl;
+            } else {
+                toast({
+                    description: '❌ Invalid redirect URL. Authorization could not be completed.',
+                });
+                setPending(null);
+            }
         } else {
             toast({
-                description: `❌ Failed to approve authorization. ${result.message}`,
+                description: '❌ Failed to approve authorization. Please try again.',
             });
+            setPending(null);
         }
-        setPending(null);
     };
 
     const onDeny = async () => {
@@ -64,7 +72,15 @@ export function ConsentScreen({
             setPending(null);
             return;
         }
-        window.location.href = result;
+        const validatedUrl = validateOAuthRedirectUrl(result);
+        if (validatedUrl) {
+            window.location.href = validatedUrl;
+        } else {
+            toast({
+                description: '❌ Invalid redirect URL. Could not complete the request.',
+            });
+            setPending(null);
+        }
     };
 
     return (

packages/web/src/app/oauth/complete/page.tsx

@@ -1,18 +1,35 @@
 'use client';
 
-import { useEffect } from 'react';
+import { useEffect, useState } from 'react';
+import { validateOAuthRedirectUrl } from '@/lib/utils';
 
 // Handles the final redirect after OAuth authorization. For http/https redirect URIs,
 // a server-side redirect is sufficient. For custom protocol URIs (e.g. cursor://, claude://),
 // browsers won't follow HTTP redirects, so we use window.location.href instead.
 export default function OAuthCompletePage() {
+    const [error, setError] = useState<string | null>(null);
+
     useEffect(() => {
         const url = new URLSearchParams(window.location.search).get('url');
         if (url) {
-            window.location.href = decodeURIComponent(url);
+            const decodedUrl = decodeURIComponent(url);
+            const validatedUrl = validateOAuthRedirectUrl(decodedUrl);
+            if (validatedUrl) {
+                window.location.href = validatedUrl;
+            } else {
+                setError('Invalid redirect URL. The authorization could not be completed.');
+            }
         }
     }, []);
 
+    if (error) {
+        return (
+            <div className="min-h-screen flex items-center justify-center bg-background">
+                <p className="text-sm text-destructive">{error}</p>
+            </div>
+        );
+    }
+
     return (
         <div className="min-h-screen flex items-center justify-center bg-background">
             <p className="text-sm text-muted-foreground">Redirecting, you may close this window...</p>

packages/web/src/lib/utils.test.ts

@@ -0,0 +1,63 @@
+import { expect, test, describe } from 'vitest';
+import { validateOAuthRedirectUrl } from './utils';
+
+describe('validateOAuthRedirectUrl', () => {
+    describe('blocks dangerous protocols', () => {
+        test('rejects javascript: protocol', () => {
+            expect(validateOAuthRedirectUrl('javascript:alert(1)')).toBeNull();
+            expect(validateOAuthRedirectUrl('JavaScript:alert(1)')).toBeNull();
+            expect(validateOAuthRedirectUrl('JAVASCRIPT:alert(document.cookie)')).toBeNull();
+        });
+
+        test('rejects data: protocol', () => {
+            expect(validateOAuthRedirectUrl('data:text/html,<script>alert(1)</script>')).toBeNull();
+            expect(validateOAuthRedirectUrl('DATA:text/html,test')).toBeNull();
+        });
+
+        test('rejects vbscript: protocol', () => {
+            expect(validateOAuthRedirectUrl('vbscript:msgbox(1)')).toBeNull();
+            expect(validateOAuthRedirectUrl('VBScript:test')).toBeNull();
+        });
+    });
+
+    describe('allows safe protocols', () => {
+        test('allows https: protocol', () => {
+            const result = validateOAuthRedirectUrl('https://example.com/callback?code=abc');
+            expect(result).toBe('https://example.com/callback?code=abc');
+        });
+
+        test('allows http: protocol', () => {
+            const result = validateOAuthRedirectUrl('http://localhost:3000/callback');
+            expect(result).toBe('http://localhost:3000/callback');
+        });
+
+        test('allows custom app protocols (cursor://)', () => {
+            const result = validateOAuthRedirectUrl('cursor://callback?code=abc');
+            expect(result).toBe('cursor://callback?code=abc');
+        });
+
+        test('allows custom app protocols (vscode://)', () => {
+            const result = validateOAuthRedirectUrl('vscode://callback?code=abc');
+            expect(result).toBe('vscode://callback?code=abc');
+        });
+
+        test('allows custom app protocols (claude://)', () => {
+            const result = validateOAuthRedirectUrl('claude://callback');
+            expect(result).toBe('claude://callback');
+        });
+    });
+
+    describe('handles invalid URLs', () => {
+        test('rejects malformed URLs', () => {
+            expect(validateOAuthRedirectUrl('not a valid url')).toBeNull();
+            expect(validateOAuthRedirectUrl('')).toBeNull();
+        });
+    });
+
+    describe('normalizes URLs', () => {
+        test('returns normalized URL string', () => {
+            const result = validateOAuthRedirectUrl('https://example.com:443/path');
+            expect(result).toBe('https://example.com/path');
+        });
+    });
+});

packages/web/src/lib/utils.ts

@@ -589,4 +589,34 @@ export const isHttpError = (error: unknown, status: number): boolean => {
         && typeof error === 'object'
         && 'status' in error
         && error.status === status;
+}
+
+/**
+ * Validates an OAuth redirect URL to prevent open redirect and javascript: URI attacks.
+ * Returns the validated URL if safe, or null if the URL is potentially malicious.
+ *
+ * Allowed protocols:
+ * - https: (standard web URLs)
+ * - http: (for localhost/development only)
+ * - Custom protocols registered by OAuth clients (e.g., vscode://, cursor://, claude://)
+ *
+ * Blocked protocols:
+ * - javascript: (XSS attack vector)
+ * - data: (can execute scripts)
+ * - vbscript: (legacy attack vector)
+ */
+export const validateOAuthRedirectUrl = (url: string): string | null => {
+    try {
+        const parsed = new URL(url);
+        const protocol = parsed.protocol.toLowerCase();
+
+        const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
+        if (dangerousProtocols.includes(protocol)) {
+            return null;
+        }
+
+        return parsed.toString();
+    } catch {
+        return null;
+    }
 }