Merge branch 'main' into 3062-create-an-edit-modal

2025-12-11 07:33:36 -05:00 · 2025-10-30 14:59:09 -07:00
parent 87e932dc52 3a3458e184
commit fca008eba3
5 changed files with 21 additions and 13 deletions
--- a/app/config.py
+++ b/app/config.py
@@ -79,7 +79,7 @@ class Config(object):
    NOTIFY_SERVICE_ID = "d6aa2c68-a2d9-4437-ab19-3ae8eb202553"

    ORGANIZATION_DASHBOARD_ENABLED = (
-        getenv("ORGANIZATION_DASHBOARD_ENABLED", "False") == "True"
+        getenv("ORGANIZATION_DASHBOARD_ENABLED", "false").lower() == "true"
    )

    NOTIFY_BILLING_DETAILS = json.loads(getenv("NOTIFY_BILLING_DETAILS") or "null") or {
@@ -115,7 +115,7 @@ class Development(Config):

    # Feature Flags
    ORGANIZATION_DASHBOARD_ENABLED = (
-        getenv("ORGANIZATION_DASHBOARD_ENABLED", "True") == "True"
+        getenv("ORGANIZATION_DASHBOARD_ENABLED", "true").lower() == "true"
    )

    # Buckets
--- a/app/main/views/sign_in.py
+++ b/app/main/views/sign_in.py
@@ -2,7 +2,7 @@ import os
 import secrets
 import time
 import uuid
-from urllib.parse import unquote
+from urllib.parse import unquote, urlparse

 import jwt
 import requests
@@ -24,7 +24,7 @@ from app.main.views.index import error
 from app.main.views.verify import activate_user
 from app.models.user import User
 from app.utils import hide_from_search_engines
-from app.utils.login import get_id_token, is_safe_redirect_url
+from app.utils.login import get_id_token

 # from app.utils.time import is_less_than_days_ago
 from app.utils.user import is_gov_user
@@ -179,8 +179,12 @@ def _handle_e2e_tests(redirect_url):  # pragma: no cover
        activate_user(user["id"])

        # Check if the redirect URL is present and safe before proceeding further
-        if redirect_url and is_safe_redirect_url(redirect_url):
-            return redirect(redirect_url)
+        # Defensive: sanitize backslashes, check for absolute URLs
+        if redirect_url:
+            cleaned_redirect_url = redirect_url.replace("\\", "")
+            parts = urlparse(cleaned_redirect_url)
+            if not parts.netloc and not parts.scheme:
+                return redirect(cleaned_redirect_url)

        return redirect(
            url_for(
@@ -215,8 +219,12 @@ def sign_in():  # pragma: no cover
        return email_verify_template

    if current_user and current_user.is_authenticated:
-        if redirect_url and is_safe_redirect_url(redirect_url):
-            return redirect(redirect_url)
+        if redirect_url:
+            # Defensive: sanitize backslashes, check for absolute URLs
+            cleaned_redirect_url = redirect_url.replace("\\", "")
+            parts = urlparse(cleaned_redirect_url)
+            if not parts.netloc and not parts.scheme:
+                return redirect(cleaned_redirect_url)
        return redirect(url_for("main.show_accounts_or_dashboard"))

    ttl = 24 * 60 * 60