Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate and Sanitize backToUrl in self-registration-username-request.jsp #7250

Merged
merged 2 commits into from
Jan 3, 2025
Merged

Validate and Sanitize backToUrl in self-registration-username-request.jsp #7250

merged 2 commits into from
Jan 3, 2025

Conversation

KD23243
Copy link
Contributor

@KD23243 KD23243 commented Jan 3, 2025

Purpose

This pull request includes changes to the self-registration-username-request.jsp file in the identity-apps-core/apps/recovery-portal/src/main/webapp directory. The changes primarily focus on improving security and error handling for callback URLs.

Improvements to security and error handling:

  • Sanitization: Added proper sanitization to the query parameter in the "Sign in" button.
  • Callback URL Validation: The backToUrl parameter is now validated using Utils.validateCallbackURL and is checked against a configured callback regex.
  • Error Handling: Incorporated a try-catch block to handle invalid URLs. If the URL is invalid, the system now redirects to error.jsp with a corresponding error message.
  • HTML Escaping: The href attribute for the "Sign in" button has been updated to escape HTML characters in the backToUrl parameter using StringEscapeUtils.escapeHtml4.

Checklist

  • e2e cypress tests locally verified. (for internal contributers)
  • Manual test round performed and verified.
  • UX/UI review done on the final implementation.
  • Documentation provided. (Add links if there are any)
  • Relevant backend changes deployed and verified
  • Unit tests provided. (Add links if there are any)
  • Integration tests provided. (Add links if there are any)

Security checks

piraveena
piraveena previously approved these changes Jan 3, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Jan 3, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 32.32%. Comparing base (de6e955) to head (79a63a6).
Report is 29 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #7250   +/-   ##
=======================================
  Coverage   32.32%   32.32%           
=======================================
  Files          42       42           
  Lines         897      897           
  Branches      204      204           
=======================================
  Hits          290      290           
  Misses        607      607
Flag Coverage Δ
@wso2is/core 32.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@wso2-jenkins-bot
Copy link
Contributor

🦋 Changeset detected

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

@DilshanSenarath DilshanSenarath merged commit 2e983e6 into wso2:master Jan 3, 2025
11 checks passed
@wso2-jenkins-bot wso2-jenkins-bot mentioned this pull request Jan 3, 2025
Merged
This was referenced Jan 5, 2025
Merged
Closed
Merged
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DilshanSenarath DilshanSenarath DilshanSenarath approved these changes

@piraveena piraveena piraveena left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@KD23243 @wso2-jenkins-bot @piraveena @DilshanSenarath