Prevent XSS in the Actionable Exceptions middleware

[CVE-2020-8264]
xnzac · Oct 7, 2020 · ddcca86 · ddcca86
1 parent 91d1e81
commit ddcca86
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb b/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "erb"
+require "uri"
 require "action_dispatch/http/request"
 require "active_support/actionable_error"
 
@@ -27,7 +28,13 @@ def actionable_request?(request)
       end
 
       def redirect_to(location)
-        body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+        uri = URI.parse location
+
+        if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
+          body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+        else
+          return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]]
+        end
 
         [302, {
           "Content-Type" => "text/html; charset=#{Response.default_charset}",