Merge pull request #161 from zextras/version-bumper/v0.9.36-1

Version bumper/v0.9.36 1

Author: keshavbhatt

CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.9.36](https://github.com/zextras/carbonio-login-ui/compare/v0.9.35...v0.9.36) (2026-03-31)
+
+
+### Bug Fixes
+
+* **CO-3425:** use publicUrl instead of adminConsolePublicUrl for login redirect [#160](https://github.com/zextras/carbonio-login-ui/issues/160) ([cf0ddf2](https://github.com/zextras/carbonio-login-ui/commit/cf0ddf2f9ccadd30146e0b020ca6864206f09b7d))
+* use publicUrl instead of adminConsolePublicUrl for login redirect ([8ee1d0f](https://github.com/zextras/carbonio-login-ui/commit/8ee1d0f02100af126febe6c075fd0d2d66967a29))
+
+### [0.9.35](https://github.com/zextras/carbonio-login-ui/compare/v0.9.34...v0.9.35) (2026-03-27)
+
+
+### Bug Fixes
+
+* ensure safe redirect URLs in login flow ([b3ce671](https://github.com/zextras/carbonio-login-ui/commit/b3ce671c1a29af845a8867f811aaf0f39c0fa3f3))
+* improve isSafeRedirect function logic ([2bc87f6](https://github.com/zextras/carbonio-login-ui/commit/2bc87f63338a3635027d839bb6bb3091460808f5))
+
 ### [0.9.34](https://github.com/zextras/carbonio-login-ui/compare/v0.9.33...v0.9.34) (2026-02-27)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
 	"name": "carbonio-login-ui",
-	"version": "0.9.34",
+	"version": "0.9.36",
 	"description": "Zextras authentication App",
 	"main": "src/index.html",
 	"scripts": {

package.json

@@ -48,7 +48,7 @@ import { useGetPrimaryColor } from '../primary-color/use-get-primary-color';
 import { getLoginConfig } from '../services/login-page-services';
 import { useLoginConfigStore } from '../store/login/store';
 import { ThemeCallbacksContext } from '../theme-provider/theme-provider';
-import { prepareUrlForForward } from '../utils';
+import { isSafeRedirect, prepareUrlForForward } from '../utils';
 
 type LoginContainerProps = {
 	backgroundImage: string;
@@ -118,6 +118,11 @@ function DarkReaderListener(): React.JSX.Element | null {
 	return null;
 }
 
+const getSafeRedirectUrl = (url: string | null): string | null => {
+	if (url === null) return null;
+	return isSafeRedirect(url) ? prepareUrlForForward(url) : '/';
+};
+
 export default function PageLayout({
 	version,
 	isAdvanced
@@ -136,9 +141,8 @@ export default function PageLayout({
 	const [serverError, setServerError] = useState(false);
 
 	const urlParams = new URLSearchParams(window.location.search);
-	const [destinationUrl, setDestinationUrl] = useState(
-		prepareUrlForForward(urlParams.get('destinationUrl'))
-	);
+	const safeRedirectUrl = getSafeRedirectUrl(urlParams.get('destinationUrl'));
+	const [destinationUrl, setDestinationUrl] = useState(safeRedirectUrl);
 	const [domain, setDomain] = useState(urlParams.get('domain') ?? destinationUrl);
 
 	const [bg, setBg] = useState(backgroundImage);
@@ -168,7 +172,11 @@ export default function PageLayout({
 		if (isAdvanced) {
 			getLoginConfig(version, domain, domain)
 				.then((res) => {
-					if (!destinationUrl) setDestinationUrl(prepareUrlForForward(res.publicUrl));
+					if (!destinationUrl) {
+						const targetUrl = prepareUrlForForward(res.publicUrl);
+						const safeDestinationUrl = isSafeRedirect(targetUrl) ? targetUrl : '/';
+						setDestinationUrl(safeDestinationUrl);
+					}
 					if (!domain) setDomain(res.zimbraDomainName);
 					setDomainName(res.zimbraDomainName);
 

src/components-v1/page-layout.tsx

@@ -0,0 +1,72 @@
+/*
+ * SPDX-FileCopyrightText: 2026 Zextras <https://www.zextras.com>
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+/* eslint-disable no-script-url */
+
+import { isSafeRedirect } from '../utils';
+
+const ORIGIN = 'https://mail.example.com';
+
+describe('isSafeRedirect', () => {
+	const originalLocation = window.location;
+
+	beforeEach(() => {
+		Object.defineProperty(window, 'location', {
+			writable: true,
+			value: { ...originalLocation, origin: ORIGIN }
+		});
+	});
+
+	afterEach(() => {
+		Object.defineProperty(window, 'location', {
+			writable: true,
+			value: originalLocation
+		});
+	});
+
+	describe('should allow safe URLs', () => {
+		it.each([
+			['/', 'root path'],
+			['/inbox', 'simple relative path'],
+			['/mail/inbox?page=1', 'relative path with query string'],
+			['/settings#account', 'relative path with fragment'],
+			[`${ORIGIN}/inbox`, 'absolute same-origin URL'],
+			[`${ORIGIN}/mail/inbox?page=1&sort=date`, 'absolute same-origin with query params'],
+			['relative-path', 'plain relative segment'],
+			['', 'empty string'],
+			['https://saml-validation.com', 'https external domain'],
+			['http://saml-validation.com', 'http external domain'],
+			['http://mail.example.com/inbox', 'same host but different scheme (http vs https)']
+		])('%s (%s)', (url) => {
+			expect(isSafeRedirect(url)).toBe(true);
+		});
+	});
+
+	describe('should block dangerous URLs', () => {
+		it.each([
+			['javascript:alert(document.cookie)', 'javascript: scheme'],
+			['javascript:void(0)', 'javascript:void'],
+			['javascript:eval(alert(1))', 'javascript:eval'],
+			['data:text/html,<script>alert(1)</script>', 'data: URI with script'],
+			['data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==', 'data: URI base64 encoded'],
+			['vbscript:msgbox("xss")', 'vbscript: scheme'],
+			['blob:https://evil.com/some-id', 'blob: URI'],
+			['ftp://files.example.com/secret', 'ftp: scheme']
+		])('%s (%s)', (url) => {
+			expect(isSafeRedirect(url)).toBe(false);
+		});
+	});
+
+	describe('edge cases', () => {
+		it('should block falsy values', () => {
+			expect(isSafeRedirect(null)).toBe(false);
+		});
+
+		it('should handle backslash-based bypass attempts', () => {
+			const result = isSafeRedirect('\\\\evil.com');
+			expect(result).toBe(false);
+		});
+	});
+});

src/tests/utils.test.js

@@ -120,3 +120,15 @@ export const setCookie = (cName, cValue, expDays) => {
 		expDays && Number.isInteger(expDays) ? `expires=${date.toUTCString()}` : undefined;
 	document.cookie = `${cName}=${cValue}; ${expires || ''}; path=/`;
 };
+
+export const isSafeRedirect = (url) => {
+	if (typeof url !== 'string') return false;
+	try {
+		// eslint-disable-next-line no-undef
+		const parsed = new URL(url, globalThis.location.origin);
+		if (/[\\]/.test(url)) return false;
+		return ['http:', 'https:'].includes(parsed.protocol);
+	} catch {
+		return false;
+	}
+};