Merge branch 'main' into 3062-create-an-edit-modal

app/config.py

@@ -79,7 +79,7 @@ class Config(object):
     NOTIFY_SERVICE_ID = "d6aa2c68-a2d9-4437-ab19-3ae8eb202553"
 
     ORGANIZATION_DASHBOARD_ENABLED = (
-        getenv("ORGANIZATION_DASHBOARD_ENABLED", "False") == "True"
+        getenv("ORGANIZATION_DASHBOARD_ENABLED", "false").lower() == "true"
     )
 
     NOTIFY_BILLING_DETAILS = json.loads(getenv("NOTIFY_BILLING_DETAILS") or "null") or {
@@ -115,7 +115,7 @@ class Development(Config):
 
     # Feature Flags
     ORGANIZATION_DASHBOARD_ENABLED = (
-        getenv("ORGANIZATION_DASHBOARD_ENABLED", "True") == "True"
+        getenv("ORGANIZATION_DASHBOARD_ENABLED", "true").lower() == "true"
     )
 
     # Buckets

app/main/views/sign_in.py

@@ -2,7 +2,7 @@ import os
 import secrets
 import time
 import uuid
-from urllib.parse import unquote
+from urllib.parse import unquote, urlparse
 
 import jwt
 import requests
@@ -24,7 +24,7 @@ from app.main.views.index import error
 from app.main.views.verify import activate_user
 from app.models.user import User
 from app.utils import hide_from_search_engines
-from app.utils.login import get_id_token, is_safe_redirect_url
+from app.utils.login import get_id_token
 
 # from app.utils.time import is_less_than_days_ago
 from app.utils.user import is_gov_user
@@ -179,8 +179,12 @@ def _handle_e2e_tests(redirect_url):  # pragma: no cover
         activate_user(user["id"])
 
         # Check if the redirect URL is present and safe before proceeding further
-        if redirect_url and is_safe_redirect_url(redirect_url):
-            return redirect(redirect_url)
+        # Defensive: sanitize backslashes, check for absolute URLs
+        if redirect_url:
+            cleaned_redirect_url = redirect_url.replace("\\", "")
+            parts = urlparse(cleaned_redirect_url)
+            if not parts.netloc and not parts.scheme:
+                return redirect(cleaned_redirect_url)
 
         return redirect(
             url_for(
@@ -215,8 +219,12 @@ def sign_in():  # pragma: no cover
         return email_verify_template
 
     if current_user and current_user.is_authenticated:
-        if redirect_url and is_safe_redirect_url(redirect_url):
-            return redirect(redirect_url)
+        if redirect_url:
+            # Defensive: sanitize backslashes, check for absolute URLs
+            cleaned_redirect_url = redirect_url.replace("\\", "")
+            parts = urlparse(cleaned_redirect_url)
+            if not parts.netloc and not parts.scheme:
+                return redirect(cleaned_redirect_url)
         return redirect(url_for("main.show_accounts_or_dashboard"))
 
     ttl = 24 * 60 * 60

deploy-config/production.yml

@@ -8,4 +8,4 @@ redis_enabled: 1
 nr_agent_id: '1050708682'
 nr_app_id: '1050708682'
 API_PUBLIC_URL: https://notify-api-production.app.cloud.gov
-ORGANIZATION_DASHBOARD_ENABLED: False
+ORGANIZATION_DASHBOARD_ENABLED: false

deploy-config/staging.yml

@@ -8,4 +8,4 @@ redis_enabled: 1
 nr_agent_id: '1134291385'
 nr_app_id: '1031640326'
 API_PUBLIC_URL: https://notify-api-staging.app.cloud.gov
-ORGANIZATION_DASHBOARD_ENABLED: True
+ORGANIZATION_DASHBOARD_ENABLED: true

poetry.lock

@@ -4025,14 +4025,14 @@ zstd = ["zstandard (>=0.18.0)"]
 
 [[package]]
 name = "virtualenv"
-version = "20.35.3"
+version = "20.35.4"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
 groups = ["main", "dev"]
 files = [
-    {file = "virtualenv-20.35.3-py3-none-any.whl", hash = "sha256:63d106565078d8c8d0b206d48080f938a8b25361e19432d2c9db40d2899c810a"},
-    {file = "virtualenv-20.35.3.tar.gz", hash = "sha256:4f1a845d131133bdff10590489610c98c168ff99dc75d6c96853801f7f67af44"},
+    {file = "virtualenv-20.35.4-py3-none-any.whl", hash = "sha256:c21c9cede36c9753eeade68ba7d523529f228a403463376cf821eaae2b650f1b"},
+    {file = "virtualenv-20.35.4.tar.gz", hash = "sha256:643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c"},
 ]
 
 [package.dependencies]