fix(auth): prevent open redirect via unvalidated post-login redirect URL

[Copilot]

AuthService.getRedirectUrl accepted any URL stored during OAuth initiation, enabling an attacker to craft a login link (?url=https://evil.com) that silently redirects users to an external site after successful GitHub authentication.

Changes

• auth.service.ts — getRedirectUrl now only returns relative paths (/foo/bar). Protocol-relative (//evil.com) and absolute URLs fall back to /. Malformed percent-encoding is caught and also falls back to /.

// before
public getRedirectUrl(loginData?: LoginData) {
  return loginData?.redirectUrl ? decodeURIComponent(loginData.redirectUrl) : '/';
}

// after
public getRedirectUrl(loginData?: LoginData) {
  if (!loginData?.redirectUrl) return '/';
  let url: string;
  try {
    url = decodeURIComponent(loginData.redirectUrl);
  } catch {
    return '/';
  }
  if (url.startsWith('/') && !url.startsWith('//')) return url;
  return '/';
}

• auth.service.spec.ts — Unit tests covering: valid relative paths, percent-decoded paths, blocked absolute URLs, blocked protocol-relative URLs, and malformed encoding.

Self-Check:

• Database migration added (if required)
• Changes tested locally

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Open Redirect Vulnerability in GitHub Auth Flow (github.strategy.ts)</issue_title>
<issue_description># Vulnerability Report: Open Redirect in Authentication Flow
Target: rsschool-app
Vulnerability Type: Open Redirect (CWE-601)
Severity: Medium (Phishing Vector)
Status: Confirmed via Source Code Analysis

Vulnerability Details

The application allows an unvalidated url query parameter to determining the redirect destination after a successful GitHub authentication. An attacker can construct a malicious link that, once the user logs in, redirects them to an attacker-controlled website.

1. Source: Insecure Storage of Redirect URL

In nestjs/src/auth/strategies/github.strategy.ts, the authenticate method captures the url query parameter without any validation or allow-listing.

// nestjs/src/auth/strategies/github.strategy.ts:28
const { url, code } = req.query;

if (!code) {
  const id = await this.authService.createLoginState({
    data: {
      redirectUrl: url as string, // <--- EXPLOIT: Arbitrary URL accepted here
    },
    expires: dayjs().add(1, 'hour').toISOString(),
  });
  opts.state = id;
}

2. Sink: Unvalidated Redirect

In nestjs/src/auth/auth.controller.ts, after the GitHub callback is processed, the application redirects the user to the stored redirectUrl.

// nestjs/src/auth/auth.controller.ts:66
res.redirect(this.authService.getRedirectUrl(loginState));

The AuthService.getRedirectUrl merely decodes it, providing no security check:

public getRedirectUrl(loginData?: LoginData) {
  return loginData?.redirectUrl ? decodeURIComponent(loginData.redirectUrl) : '/';
}

Proof of Concept (PoC)

1. Attacker Link:
   https://app.rs.school/api/auth/github/login?url=https://evil-phishing-site.com
2. User Action: User clicks the link.
3. Authentication: User is redirected to GitHub to sign in.
4. Exploit: After signing in, the application mistakenly redirects the user to https://evil-phishing-site.com instead of the application dashboard.
5. Impact: The attacker can display a fake "Session Expired" page on evil-phishing-site.com to steal the user's credentials or trick them into downloading malware.

Remediation

Allow-list Strategy:
Validate the url parameter against a list of trusted domains or ensure it is a relative path.

// Recommended Fix
if (url && !url.startsWith('/') && !url.startsWith('https://rs.school')) {
  throw new BadRequestException('Invalid redirect URL');
}

</issue_description>

<agent_instructions>prepare fix</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Open Redirect Vulnerability in GitHub Auth Flow (github.strategy.ts) #2908

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.