bugfix: relax `next` verification

AUR renders its own 404 Not Found page when a bad route is encountered. Introducing the previous verification caused an error in this case when setting a language while viewing the Not Found page. So, instead of checking through routes, just make sure that the next parameter starts with a '/' character, which removes the possibility of any cross attacks. + Removed aurweb.asgi.routes; no longer needed. Signed-off-by: Kevin Morris <kevr@0cost.org>

bugfix: relax `next` verification
AUR renders its own 404 Not Found page when a bad route is encountered. Introducing the previous verification caused an error in this case when setting a language while viewing the Not Found page. So, instead of checking through routes, just make sure that the next parameter starts with a '/' character, which removes the possibility of any cross attacks. + Removed aurweb.asgi.routes; no longer needed. Signed-off-by: Kevin Morris <kevr@0cost.org>
c5fcf685 · Kevin Morris · f759b68d · c5fcf685 · c5fcf685 · c5fcf685
Commit c5fcf685 authored May 24, 2021 by Kevin Morris
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@@ -12,8 +12,6 @@ from aurweb.auth import BasicAuthBackend
 from aurweb.db import get_engine
 from aurweb.routers import accounts, auth, errors, html, sso

-routes = set()
-
 # Setup the FastAPI app.
 app = FastAPI(exception_handlers=errors.exceptions)

@@ -47,13 +45,6 @@ async def app_startup():
    # Initialize the database engine and ORM.
    get_engine()

-# NOTE: Always keep this dictionary updated with all routes
-# that the application contains. We use this to check for
-# parameter value verification.
-routes = {route.path for route in app.routes}
-routes.update({route.path for route in sso.router.routes})
-routes.update({route.path for route in html.router.routes})
-

 @app.exception_handler(HTTPException)
 async def http_exception_handler(request, exc):

--- a/aurweb/routers/html.py
+++ b/aurweb/routers/html.py
@@ -32,11 +32,9 @@ async def language(request: Request,
    parameters across the redirect.
    """
    from aurweb.db import session
-    from aurweb.asgi import routes
-    if unquote(next) not in routes:
-        return HTMLResponse(
-            b"Invalid 'next' parameter.",
-            status_code=400)
+
+    if next[0] != '/':
+        return HTMLResponse(b"Invalid 'next' parameter.", status_code=400)

    query_string = "?" + q if q else str()


--- a/test/test_routes.py
+++ b/test/test_routes.py
@@ -61,7 +61,7 @@ def test_language_invalid_next():
    """ Test an invalid next route at '/language'. """
    post_data = {
        "set_lang": "de",
-        "next": "/BLAHBLAHFAKE"
+        "next": "https://evil.net"
    }
    with client as req:
        response = req.post("/language", data=post_data)